Given the insecure state the world finds itself in, where nefarious hackers are continually scheming to infiltrate and extract information from businesses, no one can refute the necessity of having or hiring a dedicated security professional, team or department. Of course, what you have is dependent on the size of the business or the amount dedicated to security.
Yet, despite the pivotal role security teams play in today’s cyberwar, they have a reputation for being a barrier to progress, but is this entirely justified?
Security professionals are commonly over-cautious. This isn’t a bad trait and it definitely has its benefits, as they are built to see the negatives and potential threats in almost everything.
It’s this type of mindset that can help the business avoid making a critical mistake. However, being too cautious can have its drawbacks and can lead to limited progress, damaged workplace cohesion and even encourage employees to circumvent existing rules. There have been cases where a CISO has denied certain processes to the point where all business functionality was halted. In the end, the organization simply ignored the individual, but this extremity could set a dangerous precedent. Examples like this have meant, amongst the wider community, the security department has become synonymous with the word “no.”
While there may be an element of truth in this, one must understand that security and, what this encompasses, has evolved; no longer does security just exclusively mean password hygiene or document management. It is now an integral cog in the business machine – with some arguing it is the most important function.
To avoid falling into the “no” trap, CISOs and security personnel must learn how to market themselves as an indispensable asset, that is more open and collaborative while still not fully disowning their cautious nature. It’s important to call out that the branding of the security department is just as important as the actual work they do.
Yet, there are variables that could determine the level of collaboration or cooperation given from a security team. For example, the size, age, type of organization or even the industry it operates in can play a role in shaping a security team’s attitude. There could be numerous regulations that the business has to be compliant with and the current security program adheres to these. When faced with this juncture, it’s crucial to then seek alternative routes and converse to discuss ideas instead of giving “no” as an answer.
There are other approaches to try and help security teams engage with the wider organization while promoting the need for security. Some have touted about not involving security people in security awareness activities. While this may sound absurd, such tasks could be best left to the marketing and communications departments.
Naturally, some security professionals may disagree, but the comms and marketing teams are employed to spread key messages around the whole organization using language all members of staff can understand. This will help strip out the technical jargon that will be lost on the average employee and make the message more understandable and engaging.
Furthermore, the demographic and diversity makeup of the infosec industry is far from being ideal and this has not helped the situation. By welcoming more diversity, whether that be background, culture, race, gender, sexuality and physicality - the more accepting we are of other people, the more accepting we become of new ideas. This is necessary step that many must take to become more open for collaboration and not seen as a barrier to progress.
Thankfully, there are signs of change with forward-thinking CISO’s, start-ups and agile-led businesses doing away with the “Department of No” label. It will be a slow process but if more security teams begin to offer alternatives and take a more engagement approach, then this seemingly harmful mindset will be washed away.
Of course, if the no is a justifiable alternative or the risk is too great then naturally, the security team is well in the right to say no. Make employees understand that security has an impact on the business and on them. Only by opening dialogue will staff know the right processes and if they don’t, then lessons can be learnt.
Ultimately, any rebranding should be positive in nature. Psychology shows that people have a so-called “negativity bias”. In practice, this means that people are more likely to change their behavior to avoid unpleasant experiences. If your department has a reputation for being harsh with offenders or tying workers with red tape, there’s a higher change that your colleagues will merely try to avoid you entirely.
If you’ve read this and feel your security department has similar experiences, converse with the wider organization to showcase the issues you see and then lay down the foundations on how to move forward to get the best possible outcome. Every department should be approachable, and through this, a strong comradery can be built that has a common goal to achieve the best in terms of security and functionality for the organization.