Evaluating the value of IT-security initiatives is difficult because “disconnected” security professionals work to key performance indicators (KPIs) that don’t translate well into business terms, according to a new report that warned the situation is promoting CISO burnout by marginalising security practitioners and making them question their professional value.
Fully 44 percent of the 565 IT decision-makers – from five countries, including Australia and New Zealand – surveyed in the Thycotic-Sapio Research Cyber Security Team’s Guide To Success said they have no clear vision of what other departments in their organisations consider to constitute “success”, with 43 percent saying that overall business goals are not communicated to them.
Security teams’ “everyday focus on responding to immediate threats and incidents leads them to become too disconnected from the business,” the report noted, with just 21 percent of IT decision-makers believing their role or team “consistently meets expectations”.
Budgeting and strategy practices forced IT practitioners to lean heavily on their past achievements when promoting their achievements – with 48 percent promoting past success and ROI.
Some 44 percent lean on improvements in productivity and efficiency measures, while 40 percent promote the value of their initiatives in improving compliance and reducing the risk of fines. And 40 percent argue that their initiatives’ commitment to protecting customer data provides an important differentiator that justifies the expenditure on security.
Some 89 percent their own KPIs to measure their success – yet despite this technical detail and the top-line benefits it supports, many security practitioners are struggling to establish an evidentiary link between their past initiatives and the business benefits they deliver.
Indeed, 45 percent of the respondents said they have no way to know what difference past security initiatives have made to the business. And 52 percent struggle to align their security initiatives and internal KPIs with the business’s overall goals.
“The reactive nature of an IT security professional’s work leaves them constantly looking to past achievements to demonstrate their value – a metric that bears no correlation to the organisation’s current situation or success,” said Thycotic chief security scientist and advisory CISO Joseph Carson.
“This disconnect inevitably puts them at disadvantage and leaves them struggling to make a positive impression with the executive board or colleagues in other departments.”
This ongoing struggle was having deleterious effects on the well-being of CISOs, who – like other security practitioners – face real issues with burnout and tenures that are too short to accomplish meaningful change.
Going it alone in a time of growing stress
Fully 42 percent of respondents said the growing number of compliance and regulatory demands had become the most stressful aspect of their jobs, while 45 percent said that burnout and stress from long working hours and business pressure were creating major staff retention issues.
A lack of support from senior leaders was named by 40 percent of respondents as another key retention challenge – supporting the idea that security staff must be actively supported from above to bolster their job satisfaction and retention.
Indeed, asked what ‘success’ looked like to them, Australian respondents were the most likely to name meeting the board’s performance targets as the most important factor – named by 50 percent of respondents and well ahead of the global average of 40 percent.
However, being valued by the company was nearly as important, with 45 percent of respondents saying this sense of value helped them justify the stress of their job.
Creating a companywide cybersecurity program is an invaluable way of fixing these cultural gaps, Carson said.
“Organisations should appoint Cyber Ambassadors who are both technically proficient and skilled communicators to enlist cross-departmental co-operation geared to early warning of any anomalous activity,” he explained.
“This will have the twin benefit of putting IT security on a more proactive footing and reduce the potential impact of security issues on the business.”