Feb 14 2020

A Good Security Story Can Make All the Difference

Cybersecurity professionals, plagued by a shortage of IT talent and needing to increasingly secure their systems, find that telling the right story just might help in their fight.

“Security is fundamentally broken.” This was the sentiment echoed by Theresa Payton and other security experts at the CDW Protect SummIT this week in San Antonio. 

Payton, president and CEO of Fortalice Solutions, made this assertion in reference to the industry’s lack of consideration for human users when it comes to security design. And though her argument was primarily focused on security tools, this idea of putting humans first in security — from rollouts to security awareness training — holds potential for security professionals.

Throughout the SummIT, many attendees voiced human-centric concerns to thought leaders following their presentations, asking how to gain leadership buy-in or how the industry can collectively address its shortage of skilled professionals. Answers from the experts often boiled down to one message: Start by telling a better story.

Here’s a look at what story security leaders should actually be telling — not only to better implement security measures across their organizations but to have a stronger impact on their business goals as a whole.

How to Get Buy-In from Leadership

Security professionals often struggle to convey the importance of security to leadership and to validate new business security initiatives, no matter how important they might be. It can be difficult to instill security principles into larger business models, despite them being crucial in order to reduce the risk of incidents such as data breaches.

So, how do security professionals bring more attention to their projects and get board approval for these critical initiatives? It starts with open communication.

Having a visibility discussion with leadership to explore the risks your organization faces is important, said Astin Thomas, CIO for Sunbelt-Solomon Solutions, at the conference. This is especially true for new CIOs or CISOs, he said. 

“If you come in and you’re building the security program, have a third-party organization look at the infrastructure before taking your case to the leadership team,” said Thomas. Many times, leadership won’t pay attention to your assessment unless there is a credible source backing it, which can be hard to prove on one’s own as a newcomer. 

Executive leadership team members also care about the impact new security protocols will have on their departments, said Thomas. You must explain how security plays a role in every department and why, he continued, such as the importance of information security in HR or finance. Jeremy Weiss of CDW also suggested that this can be helpful in meeting executive leaders where they are in terms of their level of cybersecurity understanding. 

“Taking that step back to sell to the board is important,” says Weiss, a cybersecurity practice lead. “If you’re a smaller business, you might want to introduce them to third-party risk.”

Many executive leaders of smaller businesses believe that hackers are not directly targeting them, Weiss said. They could, however, be after much bigger fish, such as a partner, he noted. The introduction of cloud and mobile pose major liabilities for your organization, which should be shared with leadership. In fact, Weiss shared, 61 percent of breaches now come from a third party.

“No one is a stand-alone entity as a business anymore,” said Weiss. “You rely on your business partners to keep your business up and running.”

Finally, consider consolidating and making use of the security tools the business already has in place. For the majority of security teams weighing new approaches to their architecture, such as zero trust, the tools that already exist within the infrastructure can help them get there. This approach will ultimately make security more efficient for the business, said Weiss, and will lead to departments spending less money, which business leaders always enjoy.

Find the Right Candidates for the Job

Beyond struggling to gain buy-in from leadership, many professionals in the security field also face a shortage of skilled professionals. This is not only affecting the types of projects that can be taken on by businesses but also the workloads of their entire security staffs. 

“We can’t have people who are in the field leave it,” Payton said. To combat this, she recommends working with HR to change the language around both job descriptions and qualifications for candidates.

“These job descriptions are soul-crushing,” she said. “Where’s the noble cause? What am I even going to be protecting? And why do you require a college degree? We have to change our mindset around qualifications and who is qualified.”

Payton believes organizations should consider vetting candidates based on a “work degree” — a list of experience that demonstrates to hiring managers that the candidate might be a good fit for a given role. 

For smaller business struggling due to budget constraints to hire more talent, Weiss suggested changing their security story. Set your business up for success by partnering with a third-party vendor for security advisory services.

“You can’t do it all on your own,” said Weiss. “You have to ask for help.”

Joe Levy, CTO for Sophos, agrees. “If you give the control to the vendor,” said Levy, “they’ll probably do a better job than someone who works for you that’s not in the industry. And I think the industry is proving that to be true.”

Check out our event page for more articles and videos from the CDW Protect SummIT.

skynesher/Getty Images