Last week, we sent out a survey to our readers asking for their thoughts on a provocative issue that is haunting the world of cybersecurity right now – “are security professionals getting the blame when, maybe, the wider responsibility falls on the entire business ecosystem running up against impossible standards?”
Needless to say, some secpros had a lot to say on the matter. In fact, we were forced to extend our deadline for this article because we had so many high quality answers to sift through and identify a strong theme to pass onto our readers. Without further ado, here are the voices of _secpro!
Do security professionals get the blame for organizational failings to meet almost impossible standards?
Although SOC team members bear a certain amount of responsibility and blame in the event of a breach they cannot always be held completely accountable for security mishaps, specifically where the weak link lies in the user base. For example, although as security professionals we work hard to lock down network borders and hunt for threats, these efforts can be weakened by lax policies at the senior level. How so, you might ask? Let’s take the case of an executive decision to allow local admin access to certain executives who are not very familiar with network or PC security but want to have unbridled access to their PC so that they can install fonts , programs or make changes to their PC whenever they want. Security professionals may vigorously protest against such a policy but at the end of the day it is higher level executives that are calling the shots and can override such protests. When such a user inadvertently downloads malware onto their PC and then the network, who is to blame? The security professionals that were very against that type of open access to begin with or the management that gave that access the green light?
I think it all depends on the context of the organization, there are standards that can be met according to the scope and if it should be the responsibility of the CSO or CISO to enforce them, the support they have from the CEO must also be demonstrated, since without this, they could not be meet the objectives.
Jon also added that he had experienced this over and over throughout his 30-year career in the business, so it’s not like this is something new!
What led us to this point?
“More and more, businesses that wrote off cybersecurity as a luxury are coming around to see it as a serious necessity. Nevertheless, it can be difficult to drive the point across how important it is to have a solid budget for cybersecurity and to have an adequate amount of staff members. Even in the IT dept. where I work there has been downsizing and from what I hear, it’s not just IT departments in general but cybersecurity departments that are experiencing layoffs and downsizing to cut costs. I understand the need to save money but the money saved will be meaningless if a threat such as ransomware gets through because there are too few people present to effectively guard the network.”
How can we get out of this mess?
Compliance with standards should be mandatory in companies, but it should include demonstrating compliance by management, as well as keeping records of the procedures carried out by CSOs or CISOs to safeguard their responsibility if they do not receive support.
This, of course, isn’t the only solution. We have more responses from various readers that we will be dipping into over the next few weeks. As more stories emerge, we will be sure to draw on the expertise of the _secpro readership to help us develop fuller answers and pose difficult questions that we – as an industry – have to address.
Leave a comment below if you have something to say!