Cybersecurity Teams Are Burned Out, Fatigued
An RSA survey of IT professionals found that 76 percent believe that attacks will increase in 2020. That’s no surprise: Breach attempts have increased relentlessly every year since the birth of the internet. But what is worrisome, Ghai said, is the personal toll it’s taking on security teams, which in many organizations are stressed-out and exhausted.
Two out of five CISOs think they will be held personally liable for any breach that occurs in their organization and that it may cost them their jobs, according to RSA research. As a result, said Ghai, most CISOs say they rarely disconnect from their job.
“Business leaders worldwide are concerned about cyberattacks, constantly,” Ghai said. “End users aren’t tech-savvy enough and are being inundated with clever attacks, making life harder for burned-out security teams. The adversary has hacked our brains.”
The Narrative on Cybersecurity Must Change
To change things, cybersecurity professionals need to “reclaim the narrative, reorganize our defense, rethink our culture,” Ghai said. For starters, they should start reporting more openly about their own wins and on hackers’ failures. As it stands, cybersecurity only enters the public realm when there’s a breach; one never hears about occasions when potential hacks are thwarted, because organizations don’t want to discuss their tactics or invite additional attacks.
But they should reconsider that philosophy — they should even crow a little when they foil a hacker’s ultimate objective even when they fail to stop the breach, Ghai said.
“We don’t have to win for the hackers to lose,” he said. “It cost the city of Atlanta $1 million to restore services after a major hack, but they took a courageous stand not to pay off the hackers. That’s not a win for them, but the hackers lost.”
Second, the IT industry should remember that end users aren’t the only ones whose security practices need improvement; the creators of software and applications often write code that’s vulnerable to attack. Finally, Ghai argued, organizations need to build cultures that make security everyone’s responsibility, not just that of the cyberdefense team. That includes the rest of the IT department, business leaders and other risk managers, who today have an interest in cybersecurity but “are largely observers” rather than actors.
“We’ll certainly use technology to protect technology and recruit machines to fight the good fight, but in the end this will always be a human story,” he said. “Ours will never be a world without breaches, but it will be one where those breaches will not get in the way of human progress.”