I’m excited about the publication of my latest research for security and risk pros that takes on a problem as old as time, or at least as old as cybersecurity: the silos that exist between tech and security teams.
How big is the problem? Officially, it’s not — according to numerous global technology decision-makers we survey, cybersecurity is a top priority. Unofficially, though, from my own experience, and from the experience of almost every security professional I know, there is a problem. If we were playing a game of “Never Have I Ever” in a professional context, and I took a turn listing “Never have I ever formed an unbreakable alliance with the technology team” as my experience, there would be a room of largely sober CISOs.
Not only is this tension the cause of significant stress to CISOs and tech leaders (and their teams), but in any situation where you’ve got people busy fighting with one another and pointing fingers, then at a very practical level, the work is not getting done. In this instance, this work is the cybersecurity posture of the organization — it is taking a back seat as a result of these silos.
Why this research?
We kicked off this research because we observed, through other research projects and from speaking to our CISO and tech exec clients, that this problem of silos between security and tech teams somehow took a southward turn in the last 18 months. It kept on getting mentioned in hushed tones on inquiries and guidance sessions as a reason for not being able to move to an agile environment, to obtain and report on meaningful metrics, or to execute on Zero Trust promises, as well as general ranting about “the other side.”
We observed that one significant factor behind the widening rift is reconfigured reporting lines — as recently as 2017, 60% of CISOs reported into technology, compared to 33% today. This means that the small number of tech execs who are still responsible for security are having to navigate an increasingly complex threat landscape, deal with an evolving discipline outside of their core set of expertise, and report to the board on this topic. The remaining 67% of tech execs with no direct responsibility for cybersecurity still find themselves accountable for implementing and operating a big part of security controls — the worst of all worlds.
Before we dived into the solution, we wanted to be very clear about the root cause of the silos. In conducting this research, we decided to listen to the tech exec’s side — a side that many of us in security haven’t had the opportunity to explore in details.
The learning was humbling: Few tech execs we spoke to reported positive relationships with their CISOs; most were lukewarm to outright hostile. The relationships fell into three categories: positive but conditional (better where the CISO reports into the CIO or the CIO coleads security and tech); neutral (with the CISO largely seen as technology-focused); or outright hostile.
Different sides to the story
Tech execs told us that they contend with competing goals, a complete lack of pragmatism, and a “sky is falling” mentality from their security counterparts or direct reports. They mentioned that they feel criticized, as though they’re having dirt thrown at them or being told that their baby is ugly.
Conversely, they were not always aware of the challenges facing CISOs and security teams: the CISO Da Vinci fallacy, burnout, and talent gaps, to name a few. Motivations and past traumas don’t excuse anyone’s current behavior, of course, but understanding them gives you a different lens on their past and can help you work toward a better future.
Solving the problem
Left unaddressed, negative dynamics will fester, causing serious personal, professional, and business harm to all involved. You can hope that these relationship problems will go away — or address them head on.
While we didn’t have a firm hypothesis for the solution, we expected to explore matters such as co-created technology/security strategies, better processes, and governance to align the teams and different technologies to enable tighter integrations between the two functions. We couldn’t have been more wrong. While, certainly, people, process, and technology matters came up repeatedly, the research ended up taking a plot twist!!!
The themes emerging from those tech/security exec pairs who found and/or wished for harmony revolved around two significant, yet often confused to be nebulous and squishy, words: empathy and trust. Luckily, we know from Forrester’s data-driven research into both empathy and trust that they are concrete and can be built.
Originally posted in Forrester
