Over a decade ago, in 2007, the first iPhone was released and with it emerged an ecosystem of apps that continues to expand to this day. This was a watershed moment, not solely for the technology industry, but civilization as a whole. It was a catalyst for what was to come.
Suddenly, every consumer could access the internet at a touch of a button, and the accumulation of their data by private companies began en masse. It was at this point that data was established as an increasingly valuable commodity, and in turn, became a heightened exploitation risk.
It also instigated a wave of innovation that has yet to break and is only growing rapidly in pace. In this state, technology providers, users, and manufacturers get excited about new functionalities, new features, new developments, while little thought is given to the negative consequences that could arise as a result. Indeed, fear has no place in the state of innovation as it is this primal thinking that inhibits creativity.
We have since witnessed some great advancements, including artificial intelligence and machine learning. Yet, where these technologies could help keep us safe online, they could equally pose a significant threat to society, and our security, if not properly managed. As long as we produce technology without foresight into how it could be misused, we are going to continue facing notable societal issues, cybersecurity-related or otherwise.
Consider the ever-growing, ever-maturing underground economy centered around cybercrime. It is not uncommon now to see malware sold as ‘as-a-service’, the establishment of ‘hacker universities’ offering degrees in cybercrime, or the mergers and acquisitions of cyber gangs. There is an astounding amount of money to be made in the cyber-criminal world, meaning that the likelihood of a shutdown in the black market is slim to none. Provided that organizations continue to pay ransoms and vulnerabilities persist, bad actors will remain incentivized to pursue their malicious endeavors. Moreover, the tools that we may use for the greater good could easily be leveraged in their more sophisticated attacks.
Trauma by Cybercrime
Needless to say, the threat landscape that CISOs and security teams currently operate in has intensified in scope and complexity. The relentless onslaught of cyber-attacks generates grave costs to organizations from regulatory fines, lawsuits, and remediation expenses to reputational damage and loss of employee productivity.
As long as we produce technology without foresight into how it could be misused, we are going to continue facing notable societal issues
Just as important, however, is the psychological impact, or trauma, that organizations must contend with too. A recent survey conducted by OneLogin showed that almost every IT leader had felt the need to turn to some kind of coping mechanism - exercise, meditation, or therapy - due to the stress of their role.
Due to the nature of cyber-threats, it is understandable that security teams are feeling a sense of chaos, uncertainty, and lack of control. On an individual level, this trauma manifests in burnout, feelings of isolation, paranoia, suboptimal decision-making, and an obsession with attribution.
Furthermore, a quarter of security leaders reported managing this stress with alcohol or substance abuse. At an organizational level, we may observe dismissals, overeating, overspending, and addiction issues in an attempt to resolve the issue, in addition to anxiety that an incident may reoccur. Worse still, some respond with denial, choosing not to address the potential of an incident, nor speak openly about one in order to learn from mistakes and prevent it from happening again.
Extending a Lifeline
Breaches are so widespread, affecting the smallest company up to the largest conglomerate. Tackling cybersecurity is no longer a technological issue but a business issue. As such, CISOs and their security teams cannot afford to be segregated and operate in isolation. Their voices should not be suppressed by numerous layers of bureaucracy either. In fact, we have seen countless instances whereby CISOs are told to report to the CIO, for example; but this can create a conflict of interest as CIOs may choose not to disclose certain vulnerabilities or shortcomings to save face.
Rather, CISOs must have a direct line of communication to the CEO and be a peer to the head of engineering, the CIO, etc., all of whom need to be receptive. It is only when this is arranged that organizations can facilitate open and productive discussions pivotal to constructing robust mitigation and incident response plans – a ‘successful escape’ during an incident.
By reconfiguring the communication channels this way, CISOs and their teams can also rest assured that they are heard, restoring their sense of control. What’s more, this will foster a greater appreciation for the importance of security among the CEO and other board members, instead of being disregarded as inconsequential. This can relieve the burden and stress that security teams typically bear alone – providing the necessary ‘empowerment’ to overcome trauma.
Some further good news, however, is that it appears over the last year’s collective global trauma, our security leaders are feeling more supported. Nearly three-quarters (74%) of tech leaders suggested in our recent survey that their organization cares about employees’ mental health.
The world of cybercrime has become a permanent fixture of our society, exacerbated only by the accelerating pace of technological innovation. The ceaseless attacks and threats are causing trauma to both organizations and their security teams. In the interest of limiting the long-term effects of this, a ‘successful escape’ and the ‘empowerment’ of security teams must be realized. An important first step to doing so is through giving CISOs a seat at the table.