I’m thrilled to announce our latest research into a problem as old as time (or, at least, my time — 25 years! — in security): the silos between technology and security teams. How big is the problem? Officially, it’s not — according to numerous global technology decision-makers who we surveyed, cybersecurity is a top priority. Unofficially, though, from my own experience, and from the experience of almost every security professional I know, there is a problem.
And it’s a sizable issue — if we were playing a game of “Never Have I Ever” in a professional context, and I took a turn listing “Never Have I Ever Formed An Unbreakable Alliance With The Technology Team” as my experience, there would be a room of largely sober CISOs.
Not only is this tension the cause of significant stress to CISOs and tech leaders (and their teams), but in any situation where you’ve got people busy fighting with one another and pointing fingers, then at a very practical level, the work is not getting done. In this instance, this work is the cybersecurity posture of the organisation — it is taking a back seat as a result of these silos.
Why this research? why now?
My colleagues Paul McKay, Aidan Riga, and I kicked off this research because we observed, through other research projects and from speaking to our CISO and tech exec clients, that this problem somehow took a southward turn in the last 12 months. We wanted to see if, and how, technology and security teams can do better as professionals.
We observed that one significant factor behind the widening rift is reconfigured reporting lines — as recently as 2017, that means that the small number of tech execs who are still responsible for security are having to navigate an increasingly complex threat landscape, deal with an evolving discipline outside of their core set of expertise and have to report to the board on this topic.
The remaining 67% of tech execs with no direct responsibility for cybersecurity still find themselves accountable for implementing and operating a big part of security controls — the worst of all worlds.
And before we dived into the solution, we wanted to be very clear about the root cause of the silos that I, and countless others, have experienced and observed. We took the time to hear the “other side of the story” — the tech exec’s side. Few tech execs we spoke to reported positive relationships with their CISOs; most were lukewarm to outright hostile.
The relationships fell into three categories: positive but conditional (better where the CISO reports to the CIO or the CIO co-leads security and tech); neutral (with the CISO largely seen as technology-focused); or outright hostile.
Many different sides to the story
Tech execs told us they contend with competing goals, a complete lack of pragmatism, and a “sky is falling” mentality from their security counterparts or direct reports. They mentioned that they feel criticized, as though they’re having dirt thrown at them or being told that their baby is ugly.
Conversely, they were not always aware of the challenges facing CISOs and security teams: the CISO Da Vinci fallacy, burnout, and a talent gap, to name a few. Motivations and past traumas don’t excuse anyone’s current behaviour, of course, but understanding them gives you a different lens on their past and can help you work toward a better future.
How do we solve this? can we solve it?
Left unaddressed, negative dynamics will fester, causing serious personal, professional, and business harm to all involved. You can hope that these relationship problems will go away — or address them head-on.
While we didn’t have a firm hypothesis for the solution, we expected to explore matters such as co-created technology/security strategies, better processes, and governance to align the teams and different technologies to enable tighter integrations between the two functions.
We couldn’t have been more wrong. While certainly people, process, and technology matters came up repeatedly, the research ended up taking a plot twist!!!
The themes emerging from those tech/security exec pairs who found and/or wished for harmony revolved around two significant, yet often confused to be nebulous and squishy, words: empathy and trust. Luckily, we know from Forrester’s data-driven research into both empathy and trust that they are concrete and can be built.
Read our research (Forrester client access only) to see how to exercise empathy and make trust concrete in order to build an alliance between tech and security. Spoiler alert: The research contains a trust relationship evaluation, complete with a scorecard, and specific actions to build, repair, improve, or elevate your relationship.
If that scares you a little, because of, well, the words “relationship” and “evaluation,” think about it this way: More than 2 million of us take the Myers–Briggs evaluation annually without blinking. Unlike other corporate-type evaluations, this brief trust relationship evaluation is focused not only on yourself but also on your peers and on building a successful relationship with them.
I know that we are technologists working in security and technology teams, but we are also all humans doing human things in a social context. Yes, even work is still fundamentally about human emotions!
First published on Forrester Blog
