Is your organisation’s culture holding back your cybersecurity team?
Improving your company’s cybersecurity posture is hard when your day is packed with meetings, your budgets are set by senior executives who don’t fully understand cyber threats and you have to spend most of your time fighting fires.
Here are some of the biggest obstacles that cybersecurity teams face in their day to day, and how they can hinder their performance.
Less money, more problems
Containing day-to-day threats while driving a long-term cybersecurity strategy is a challenge at the best of times, but when financial resources are tight it becomes even harder. Budgets may be set by executives who don’t understand the team’s roles and costs, and companies that grow in size don’t always scale their cybersecurity spend accordingly. A whopping 64% of Australian businesses say cybersecurity departments are underfunded. That usually means underinvestment in tools and training, and makes it harder for CISOs to stay on top of an increasingly dangerous threat landscape. The key here is to manage stakeholder expectations, and focus on building baseline cybersecurity first.
Under-resourcing invites burnout
Tighter purse strings will affect hiring and worker retention too. HR teams may not understand the value of top professionals, especially with salaries currently spiraling – demand for IT professionals has been described as “exponential”. A department that is understaffed or sees high employee churn is likely to be less productive, with burnout becoming a bigger risk. In cybersecurity, that pressure can lead to damaging mistakes being made, or crucial measures – such as staff training or the analysis of new threats – falling by the wayside. This is where a supportive company culture plays a big role - keeping a close eye on staff well-being and managing expectations can go a long way in minimising the risk of burnout.
The daily grind keeps cyber resilience out of reach
Even well-resourced cybersecurity teams can find it hard to step away from the here and now. Responding to incidents is a vital part of the job, and email-borne malware and ransomware are a growing threat to organisations in every sector. But departments that are constantly in crisis mode will struggle to develop longer-term strategies. True cyber resilience can thus remain tantalisingly out-of-reach, which leads to even more time spent fire-fighting.
Other tasks, such as compliance and auditing or the need for regular security patching, can also swamp to-do lists. And analysts managing multiple alert dashboards may find that switching between tools and interfaces takes up a frustratingly large part of their day. The answer here is to review the biggest points of vulnerability and focus only on securing those and key organisation assets first. No team can guarantee 100% foolproof cybersecurity, and it's important that the C-suite understands this. However, most organisations have a handful of really big security holes where the most damage can occur, and prioritising their security can not only ease the pressure on your team but also improve cybersecurity outcomes..
Meetings can quickly fill up the day
Few things are as frustrating as the ping of a meeting reminder when you’ve got something urgent on your plate. Many executives have limited exposure to cybersecurity, which may mean you need regular catch-ups to present your case or explain the impact of a new piece of software or security protocol. Relationship building is vital, yes, but all too often, meetings become bloated: they’re longer than they need to be, roping in more people into unproductive debates. And with cyber teams already under-resourced, they can’t afford to have more of their people tied up in meetings all day. Setting clear agendas, outcomes and participants before sending or accepting any meeting invites can do wonders for fighting meeting-fatigue.
Managing, advising and educating people takes time
Frequent meetings, at the very least, help you build a regular connection with other parts of the business. Cybersecurity impacts almost every area of most organisations, from employee laptops and cloud storage to inventory and onboarding. Yet all too often, other parts of the business don’t understand the necessity or urgency of these measures. That means the burden of educating other teams and managing cyber policy also falls on the shoulders of an already- overworked cybersecurity team.
People are wildly varied: some will proactively get on board with your initiatives, while others will switch off as soon as they hear a few too many technical words. They may forget the training module they’ve already taken twice, or quibble as to why password protocols or device policies are adding to their day-to-day workload. Research shows that 32% of organisations believe employee naiveté is the biggest cybersecurity threat they face. Implementing a regular cyberawareness program is one of the most effective things you can do to not just improve cybersecurity, but also cut down the time you spend explaining its importance.
Building relationships with business leadership is challenging, but essential
In an ideal world, cybersecurity would always have a voice at the top table. But often cyber teams are submerged within the IT department. CISOs may report to CFOs or CIOs, whose priorities may be very different from the cyber team’s. Senior executives, for example, may choose to take on more risks, while cybersecurity pros’ jobs are to mitigate risk.
At some companies, communication with the board may only take place once a cyberattack or data breach has actually occurred. Other organisations, meanwhile, are only just waking up to how appealing their data and assets are to cyberattackers. Translating the language of cybersecurity into terms your board can relate to is essential if you’re going to put your point across – but that can be an entire job in itself.
Dealing with these obstacles
You’ll be hard pressed to make all these blockers go away overnight. But there are measures that can help.
Communicating effectively with your board can help them understand risks and show how cybersecurity challenges can impact the business. Effective communication may also unlock more budgets, and help gain the support your team needs. Taking time to improve your corporate cybersecurity policy can stop incidents occurring, and help your business respond more effectively when they do. Regular, targeted training can help employees act as your first line of defence, rather than feeling like your biggest liability.
Gains from measures like this will be incremental, allowing you more time to improve your organisation’s cybersecurity culture and strategy. These obstacles will never entirely go away, which is why you need to prioritise your battles. Even getting a handle on a few of the areas above will do wonders not only for your organisation’s cybersecurity posture, but the mental well-being, and performance, of your cybersecurity team.