One of the most consistent concerns for InfoSec professionals is the extent to which enterprise boardrooms treat cybersecurity with the seriousness required in order to ensure the reliability of the systems by which peer-to-peer processes are maintained, business intelligence is kept secure and operational capacity remains unencumbered by external threats. This concern is not only centred on the well-documented lack of comprehension of board members who fail to fully appreciate the need to continuously invest in the necessary architecture and supporting infrastructure, but also extends, and is directly related, to the top three recognised primary challenges for enterprise leaders; these being attracting and retaining top talent, regulatory environment and competitive threats, both global and domestic.
When it comes to attracting top talent, there appears to be a disconnect in the thinking of many enterprise leaders when reflecting on the need to secure and retain leading figures within InfoSec and the need to invest in the people and technologies responsible for maintaining an effective security posture. By not only securing top talent, but also supporting those in junior security-led roles, enterprise leaders will successfully retain such talent, allow for a space in which consistent professional development can occur, and increase the possibility of improving upon existing architecture and infrastructure through the organic growth of a mature and responsibility-led culture. By not listening to those responsible for securing such systems, you will not only experience a high turnover in staff, which breeds instability, but you will also make it increasingly difficult to defend against external threats as the pool of talent becomes ever more shallow and the structures they put in place are left to decay.
But there are also things that InfoSec professionals can do to circumvent the lack of comprehension of many enterprise leaders, who, in their defence, may not have a background in cybersecurity. By tying security to the three primary challenges you can begin the process of conveying such concerns in a way which is business-centric rather than IT specific. The most effective way in which this can be achieved is to align security metrics with key business objectives, highlight the cost-benefit of investment and ensure they are fully briefed on the cost of failing to protect against internal and external threats.
If InfoSec leaders wish to have their voices heard as loudly and clearly as is necessary, they need to be able to adequately breakdown and present on the key issues of visibility and resilience. These primary concerns have remained constant over the last two decades and have only served to increase in sensitivity as the tools, techniques and capabilities of hostile actors continue to tighten their grip on the enterprise ecosystem. In a world in which cloud migration of sensitive data is the new normal, exponential growth in data collection is a key business requirement and advanced persistent threats make headlines on a regular basis, now is the time to harmonise the relationship between the board and InfoSec leaders.
Rather than leave the board to wonder why they should invest in cybersecurity in the first place, efforts must be made to answer fundamental security questions rather than view them as unanswerable. Whilst total security will never be achieved, there is certainly a space in which the current level of dialogue can be improved.