The success or failure of any cybersecurity team increasingly comes down to how early they are involved in a new business initiative. Unfortunately, a recent survey of nearly 1,300 cybersecurity leaders conducted by the consulting firm EY finds only a little more than a third (36%) of new technology-enabled business initiatives include the security team from the start.
That’s especially unfortunate at a time when more organizations are launching digital business initiatives than ever. It’s clear many of those initiatives are likely to be delayed or significantly reworked after being rolled out because one or more cybersecurity issues were not raised earlier.A recent survey found that only 36% new technology-enabled business initiatives include the security team from the start. #cybersecurity #DigitalTransformationClick To Tweet
Of course, disconnects between cybersecurity teams and the rest of the business are longstanding. For example, almost three-quarters (74%) of the respondents said the relationship between cybersecurity and marketing is, at best, neutral, if not mistrustful or non-existent. More than two-thirds (64%) said the same of the research and development team, while 59% said there are issues with lines of business. More than half (57%) say their relationship with finance is also strained.
Much of this dysfunction can be traced back to the simple fact that most business leaders don’t want to be told that a certain new initiative isn’t feasible from a cybersecurity perspective. Cybersecurity teams have come a long way in terms of trying to securely enable new business processes. However, there is always going to be tension. On the upside, more application developers are starting to embrace DevSecOps best practices, so more security controls are being baked into applications as they are developed. Like most cultural transitions within organizations, though, it may be a while before organizations can point to tangible benefits from that approach.Cybersecurity professionals need to engage their colleagues more often if they want to get people start thinking about #cybersecurity earlier in the process for new initiativesClick To Tweet
Inspiring teams to care about cybersecurity
In the meantime, it’s incumbent on cybersecurity professionals to engage their colleagues as much as possible. In many cases, simply checking in regularly with different teams will lead to conversations where cybersecurity professionals learn about all kinds of things they might not know are occurring within their organization. It’s not that their colleagues are trying to deliberately hide things from them. It’s just that most of them continue to think of cybersecurity as something that gets bolted onto a process versus being built into it. As such, they simply don’t see a need to engage cybersecurity teams early in the process.
Of course, the other factor at play is many of other teams are simply intimidated by cybersecurity. Very few business executives have to confidence to admit what they don’t know, especially if a function is perceived to be somebody else’s responsibility. Cybersecurity professionals would do well to emulate a patient grade schoolteacher that needs to get occasionally unruly students to appreciate some core concepts. Otherwise, the very people cybersecurity teams are trying to help wind will just be waiting for the meeting to be over so they can move on with the rest of their lives.
It’s up to cybersecurity teams to get the rest of the organization to care about cybersecurity. Other teams may never have the same passion for it as a trained cybersecurity professional, but enthusiasm catches on.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.