If you work within the cybersecurity space, the terms “doom-mongers” or “scare-police” might sound familiar to you. If you feel that’s how the rest of your company views you, then you’re not alone. Thycotic’s 2019 European Cyber Security Teams Survey Report, found that as many as 63% of security professionals felt that their security teams are viewed as their company’s naysayers, often labelled as ‘doom-mongers’ or a ‘necessary evil’.
A further 27% believed that other employees see the security team as something that runs in the background which they don’t really notice.
These figures really hit me in the gut.
When you see yourself as a negative outcast in your own organisation simply because of your (critical and technical!) role, it can easily lead to a souring outlook on your career overall. When it’s whole departments, then it’s a real problem.
In Thycotic’s report, it found that ‘39.5% of survey respondents felt that employees had a negative impression either all the time or on a regular basis (of IT security staff and their work)’.
It’s not like the Infosec teams are the ones coming in and swinging the axe, making layoffs. They’re not using multi-factor authentication (MFA) just to annoy employees. They’re not yammering on about email scams because they like the sound of their own voices.
The cyber threat is real. But perhaps other employees don’t exactly see it that way. Let’s explore why this is so.
Think about your cybersecurity communication practices
Each company function has its own culture and is perceived differently by the wider organisation. Sales are probably the go-getters, the hype team. HR professionals are the friendly faces ready to help everyone else out. But why are the Infosec team the scare-mongers?
One possible reason is the cybersecurity culture within organisations - the tendency to take a reactive as opposed to a proactive approach when it comes to communication.
When interacting with the rest of the company about cybersecurity, we’re mostly having conversations surrounding cyber incidents that have already happened - or threats to do with current issues that other businesses are experiencing, new commercial software vulnerabilities, etc.
Consider the impact this has on business leaders, and also the rest of the organisation. If the majority of the communications they receive from Infosec teams are after a cyberattack, informing them about the damages incurred and what to do to mitigate those threats, can you really blame them for associating Infosec teams with ‘gloom and doom’?
It’s worse still, when these incidents aren’t being communicated at all.
If company leaders are creating a culture of denial in the cybersecurity space, then they themselves are scared. Yes, just recently, even Google tried to hide their Google+ data insecurities, uncovered by an investigation by the Wall Street Journal. While legislative and regulatory initiatives like the GDPR seek to provide transparency into what’s really going on behind the scenes when it comes to information security, some companies are by nature secretive. This is not only because it can affect their bottom line, but it can also lead to malicious actors capitalising on these system flaws before they’re fixed, or finding similar security weaknesses elsewhere in platforms.
This hush-hush attitude, only informing execs of weaknesses and/or breaches, can lead to employees believing threats and weaknesses within the company aren’t actually happening. By containing this information, we’re effectively misleading the rest of the company who are thinking our security is tight - and there isn’t much to worry about.
But as I keep saying, cybercrime isn’t a question of if, it’s a question of when. Your organisation WILL be infiltrated by cybercriminals at one point or another - all it often takes is 1 simple email to cause havoc in your systems. When that happens, won’t it automatically lead to questions regarding the inefficiency of your Infosec teams - especially if other parts of the business have been kept in the dark about what HAS been done (albeit unsuccessfully) to counter these threats in the past?
Collaboration is ultimately key to letting cybersecurity strategies work, as stressed by Alastair MacGibbon, Head of the Australian Cyber Security Centre at MailGuard’s 2018 Cybersecurity Awareness Luncheon. Hindering this collaboration by poor, delayed or lack of communication with other parts of the business will only serve to enhance more negative perceptions of your Infosec teams.
Stop making cyber security so ‘dark’
I am aware that with the heightened focus on cybersecurity awareness in firms today, you may argue that proactive communications are, actually, taking place - Infosec teams have (hopefully) established proactive, regular and frequent communication with the rest of the organisation, educating them on being more cyber-resilient. You might also be talking about more proactive strategies you’re putting in place to deal with future threats.
But have you ever wondered how effective is that communication?
I often write about the human factor as one of the biggest vulnerabilities to your organisation, but if humans are also key to solving the cybersecurity puzzle, we should probably look at how we capture their attention in the first place.
Just a couple of months ago, former Australian Signals Directorate and Infosec chief turned ANZ bank CISO, Lynwen Connick unleashed a stern warning that keeping cyber relevant for everyday people is still a major battle yet to be won.
“Cyber defence fails to ensure security is built into non-security products and experts are often guilty of using complex language which scares people about the dangers of being online without providing simple ways to help people do the right thing,” Connick said on ANZ’s official Blue Notes blog.
“Cybersecurity can be perceived as being too hard to manage and a drain on people’s time. There can be a general perception cyber incidents only happen to ‘someone else, not me’ or are someone else’s responsibility – which leads to complacency.”
As somebody who interacts with both tech professionals and business owners frequently, I see this all too often. Infosec teams often (unintentionally, of course) end up using language in their interactions with other teams that is technical, aimed at self-referential experts and almost indecipherable. It’s probably then not surprising that 74% of respondents from the Thycotic survey I mentioned earlier believed their colleagues were either negative or indifferent about new security policies and measures. And in fact, 90% of respondents said other departments could gain a better understanding of what security teams are trying to achieve altogether.
Call it an occupational hazard, or a vocabulary stemming from a love of the trade, the fact exists that cybersecurity and its nuances become complex in such language, sparking indifference and fear of the unknown among those who come from non-technical backgrounds. To make things worse, the fear of the unknown is probably exacerbated by the knowledge of risks the other parts of the business DOES understand - such as the large financial damages resulting from a data breach. This is equivalent to knowing what you’ve got to lose without understanding how you’re losing it in the first place, and how you can prevent it. Are you still really wondering why cybersecurity professionals are viewed negatively today?
How can we effectively articulate risk without being pigeon-holed?
It then becomes imperative that we become more transparent in our processes, incidents, and humanising cyber risks to the rest of the organisation if we wish to improve our relationships with them. We need to talk about specific incidents from an employee point of view. Showing the numbers of thwarted attacks from reports created from your dashboard is best left to impressing upper management.
For staff on the ground, they need to hear Hannah from HR’s story about how she accidentally leaked payroll details by a cleverly worded email that looked like it came from the company accountants.
First hand, detailed, real accounts are what really hit home to the average employee. It can be more effective in security meetings rather than email bulletins, too. Sure, you can throw in your overall facts and figures, but this shouldn’t be the focus. Remember story premise: who, what, when, where, and how - they’re all relevant and paint the picture.
Changing attitudes takes time, but with more effective communication, transparency, humanisation of cyber-issues, and an open mind, you might just find the Infosec team coming in first place in the office congeniality contest.
Get the facts
Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.
Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets. If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.
I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.
You can download my e-book for free, here.
“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal.
... ... ...
Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter.
I’d really value your input and comments so please join the conversation.