Security Maturity Has a Communication Issue

At first glance, the motivations to increase security maturity seem clear. Industry reporting fills news feeds advising on the latest threat or vulnerability poised to take over an organization’s systems to wreak havoc on local and global operations. However, while the emerging risks of increased threats are valid, it’s not the whole story.

Cybersecurity is indeed a global concern that affects every organization. However, there is no direct path to guaranteed success. Each organization’s approach to increasing cybersecurity maturity and resilience must incorporate the move from generalities to specifics concerning their operations, risk tolerances, regulations, and best practices.

The need to assess generalized guidance for suitability and applicability, followed by the ability to adapt to individual requirements, presents a significant challenge to most organizations. It’s generally agreed that some action is needed, but the translations needed to understand the applicability are complex. The result is that even though the organization’s outcomes are agreed upon across the different teams, the path to achieving them is not. A significant cause is a failure to communicate effectively between stakeholders with different viewpoints and motivations.

Processes, stakeholders, and communication

Every organization will differ, even if only slightly, in how they operate and what tools and technology they leverage to sustain these operations. Critical to the success of a business operating in a competitive market is the design and optimization of the processes in place to deliver their outputs, often comprising a primary element of their differentiation.

Many stakeholders weigh in and influence as an organization designs, redesigns, and optimizes its process. Each of these stakeholders, from across the organization, brings a critical viewpoint to the task, their experience, expertise, and understanding of impacts as they relate to their view of the process in action. These diverse viewpoints can make an organization go from good to great when they are well-considered and effective communication channels remain open. Conversely, when ineffective communication, disregarding perspectives, and exclusion of stakeholders occur, the outcomes generally go poorly, and opportunities for excellence are snuffed before they can even begin.

The issue of miscommunication in cybersecurity matters is a leading cause of inconsistent outcomes for organizations. In many cases, the challenge of overcoming this issue is poorly understood. The causes are often visible in plain sight, but the divisive and exclusionary tendencies of players from all sides remove the ability to resolve them and, worse, further perpetuate them. The end state of this is an organization where all sides want to increase their cybersecurity maturity. Still, initiative after initiative fails to deliver the expected outcomes, further eroding trust while leaving risks unmanaged.

Different motivations, similar outcomes

It is rarely the case that an organization collectively and actively aims for poor cybersecurity resilience. Often, poor outcomes result from misaligning priorities as an extension of miscommunication. This is heard in conversations between different teams and seen in the frustrations of each group when the expected actions are not taken. For example, the security team describes a risk they classify as high to the business leadership to secure the budget needed for mitigations. However, the budget never arrives or is inadequate to complete the task.

The reaction of the security team is to exclaim that no one understands how at risk the organization is. For the leadership group, a belief that action commensurate to the quantified risk has been taken. The problem is clear, while each party is right, they are also wrong at the same time. Getting into this state is common, but understanding why is not.

The communication between the different groups from start to finish helps explain the misalignment. Each group shares the target outcome of a resilient and sustainable business. The difference is the motivations and perceived priority of the various elements in place and additionally needed to support this outcome. While one group may be motivated to prioritize an initiative through their understanding and appreciation of the priority, if this is not communicated to the other stakeholders in a way where they can appreciate its gravity, it is understandable that misalignment and frustration will result.

Understanding the confusion

Effective communication can be difficult; even when the channels are open, sustained effort is needed to maintain it. Within an organization’s walls, it can elevate inter-team engagement to develop an effective, productive, and robust discussion culture. But this doesn’t resolve the issue entirely. The considerable noise, opinion, and sensationalization of parties external to the organizations once again throw mud in the water. Nevertheless, the first step toward better communication is acknowledging that a challenge exists and being open to engaging with it.

In the next part of this series, join me as I explore how vendors, the media, and regulatory agencies and bodies influence cybersecurity maturity and how organizations can navigate the ongoing journey.

Do you see a cybersecurity communication challenge within your organization? Take a moment to review how you communicate with different groups and how they communicate with you. Note down any communication issues you see and keep them handy for the next parts of this series as we explore ways to overcome them.

In the meantime, learn more about emerging trends and focus areas with TXOne Networks’ Insights Into ICS/OT Cybersecurity 2022, written in collaboration with research done by Frost & Sullivan.