As the old adage states: People are the weakest link in the cybersecurity chain. This is a problem because strong cybersecurity depends upon both individual skills and organizational collaboration between cybersecurity, business, and IT groups.
To use another analogy, cybersecurity is a team sport. If the cybersecurity team doesn’t communicate and collaborate well with other groups within an organization, it will be difficult if not impossible to stay current with what’s needed for security incident prevention, detection, and response.
Unfortunately, this is the situation too often today. According to a new research report from ESG and the Information Systems Security Association (ISSA), 20% of cybersecurity professionals claim that the relationship between cybersecurity and IT teams is “fair or poor” today, while 27% rate the relationship between cybersecurity and business team as “fair or poor.”
Allow me to provide a few examples as to why these relationships are so important:
While infosec teams set policy and discover cyber-events in progress, they count on IT teams to provision systems, configure devices, and respond to alerts in a timely manner. Communications and collaboration problems can disrupt the timeliness of these processes which can add IT risk or increase the amount of time it takes to respond to an issue. Problems between business and cybersecurity groups can have a similar detrimental effect on cybersecurity efficiency and effectiveness.
What are the major challenges that impact the working relationship between cybersecurity, business, and IT groups? According to the ESG/ISSA report:
- 26% of cybersecurity professionals said that the biggest challenge for the working relationship between cybersecurity and business groups is “goals alignment.” In other words, these two groups are working toward different goals which actually creates conflict between business objectives and the cybersecurity safeguards intended to protect them.
- 28% of cybersecurity professionals said that the biggest challenge for the working relationship between cybersecurity and IT groups is “prioritizing tasks between the two groups.” This means that cybersecurity and IT groups are “not on the same page” when it comes to things like scanning networks, patching systems, or changing configuration settings. These missteps can open up vulnerabilities or turn a minor system compromise into a major data breach.
Even organizations with highly-skilled cybersecurity professionals, strong CISO leadership, and leading-edge infosec technologies, won’t be successful if the cybersecurity team can’t coordinate effectively with IT and the business. This is not something that CISOs can fix on their own – addressing communications and collaboration problems demands leadership and participation from CEOs, CIOs, line-of-business managers, and everyone else that reports to these folks.
The entire report, The State of Cybersecurity Professional Careers, is available for free download. Your feedback on the report is most welcome.