Cybersecurity, business and IT relationships

As the old adage states: People are the weakest link in the cybersecurity chain. This is a problem because strong cybersecurity depends upon both individual skills and organizational collaboration between cybersecurity, business and IT groups. 

To use another analogy, cybersecurity is a team sport. If the cybersecurity team doesn’t communicate and collaborate well with other groups within an organization, it will be difficult—if not impossible—to stay current with what’s needed for security incident prevention, detection and response.

Unfortunately, this is the situation too often today. According to a new research report from ESG and the Information Systems Security Association (ISSA)—The State of Cybersecurity Professional Careers—20 percent of cybersecurity professionals claim that the relationship between cybersecurity and IT teams is “fair or poor” today, while 27 percent rate the relationship between cybersecurity and business team as “fair or poor.”

Allow me to provide a few examples as to why these relationships are so important: 

While infosec teams set policy and discover cyber events in progress, they count on IT teams to provision systems, configure devices and respond to alerts in a timely manner. Communications and collaboration problems can disrupt the timeliness of these processes, which can add IT risk or increase the amount of time it takes to a respond to an issue. Problems between business and cybersecurity groups can have a similar detrimental effect on cybersecurity efficiency and effectiveness.

What are the major challenges that impact the working relationship between cybersecurity, business and IT groups? According to the ESG/ISSA report:

• Twenty-six percent of cybersecurity professionals said  the biggest challenge for the working relationship between cybersecurity and business groups is “goals alignment.” In other words, these two groups are working toward different goals, which creates conflict between business objectives and the cybersecurity safeguards intended to protect them.
• Twenty-eight percent of cybersecurity professionals said the biggest challenge for the working relationship between cybersecurity and IT groups is “prioritizing tasks between the two groups.” This means cybersecurity and IT groups are “not on the same page” when it comes to things like scanning networks, patching systems or changing configuration settings. These missteps can open up vulnerabilities or turn a minor system compromise into a major data breach. 

Even organizations with highly skilled cybersecurity professionals, strong CISO leadership and leading-edge infosec technologies won’t be successful if the cybersecurity team can’t coordinate effectively with IT and the business. This is not something CISOs can fix on their own. Addressing communications and collaboration problems demands leadership and participation from CEOs, CIOs, line-of-business managers and everyone else who reports to these folks.  

The entire report, The State of Cybersecurity Professional Careers, is available for free download. Your feedback on the report is most welcome.