The constantly evolving cyber landscape places business leaders in a perilous position when it comes to weighing up the risks and opportunities of using modern communications channels in the workplace.
Post-pandemic, more companies have embraced (and continue to embrace) remote work and hybrid work environments. This has required a rapid global adoption of various communication apps and channels like Slack, Teams, WhatsApp, Zoom, and more. However, with this shift in how we do business comes massive gaps in security and compliance.
Although information security isn’t traditionally seen as an enabler of innovation, CISOs are now finding themselves under greater pressure to find the optimal balance, rather than just laying down and enforcing the rules.
Let’s discuss why people think cybersecurity is a barrier, and how CISOs can correct that mindset while embracing cybersecurity innovation.
Why People Look at Cybersecurity as a Barrier
A study conducted by Harvard Business Review revealed that, until now, people still view cybersecurity as a hindrance to their work processes:
“During the 10 workdays we studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks.”
When asked why they breached protocol, 85% answered with one of the following responses:
- “...to better accomplish tasks for my job.”
- “...to get something I needed,” and;
- “...to help others get their work done.”
The study also discovered that stress was a factor. People were more likely to break security protocol on days when they felt more stressed than usual. This suggests that a stressful work environment reduces employee tolerance with rules that impeded their jobs or made the process less straightforward.
Additionally, if the protocol (1) hindered productivity, (2) required extra energy and time, (3) forced them to do things differently, or (4) made them feel like they were monitored all the time, the chances of violating security procedures increased.
Notably, only 3% of the reported policy breaches occurred with retaliatory intent, implying that non-malicious policy breaches were 28 times more common.
These facts highlight the need for cybersecurity innovation—a new set of protocols or solutions that address IT security concerns without hindering employees’ abilities to work or communicate effectively.
The Challenge that CISOs Face
Today, InfoSec has to contend with the fact that other departments within the organization are more determined to innovate than ever before. Marketing teams want to boost visibility and engage their target audiences on social media. Support personnel want to leverage instant messaging to serve customers more efficiently. Product development departments are tapping into online communities to gather feedback. Communication technologies have become the key enablers of modern business.
Blocking these critical channels on the grounds of security and compliance concerns is to build a wall between business needs and the many new opportunities that can accommodate them. An abundance of caution could be forgiven, given that incidents involving billions of stolen records are hitting the headlines regularly. Many business leaders live in constant fear that they, or their technical partners, will be next.
It’s only normal to view cyber threats as economic disablers and cybersecurity as a necessity that exists for the sole purpose of reducing risk. However, rather than letting cybersecurity amplify the perception of threats facing today’s businesses, CISOs should instead see it as a source of hope; a way to add value throughout the organization. What it all boils down to is the fact that cybersecurity can itself be a competitive advantage that, rather than blocks, empowers innovation.
Cybersecurity Is a Process, and It’s Everyone’s Responsibility
Business leaders need to change the way they view cybersecurity. Instead of a cost burden, they should view it as a competitive differentiator; an integral component of the entire digital transformation process. To get better at their jobs and earn the support of all departments within the organization, CISOs need to convey this by building relationships that help drive cybersecurity innovation and share the duties of information security, privacy, and compliance.
These three things are everyone’s responsibility too. Marketing and customer support teams are at the forefront of a brand’s reputation in an age when a single data breach can undo years of brand-building in one fell swoop. Product development teams can wreak havoc if they accidentally (or intentionally) use unsecured channels that leak intellectual property or trade secrets. This makes every employee across every department responsible for cybersecurity in some way, which is why it’s the job of the modern, connected CISO to educate and enable; not just lay down the ground rules.
While the importance of cybersecurity innovations like firewalls, CASB, and endpoint protection cannot be overstated, it’s also important to remember that cybersecurity as a whole isn’t a destination. It’s not a turn-key solution that can be outsourced in full, and neither is there any such thing as a protection device that can secure the company entirely. Above all, cybersecurity is a journey, a process that combines strong leadership and education with the right tools. Unfortunately, this is also a paradigm shift that might be interpreted as security being a bottomless pit of budgeting whereby companies are pressured to keep investing as much money as they possibly can to improve it.
That’s not how things have to be. CISOs should instead focus on delivering value throughout the organization by being drivers of innovation. By forging closer ties with every department, they’ll be better placed to empower employees to independently assess risks in real-time and take a share in the responsibility to protect the organization. It’s their job to demystify security and, in doing so, transform the perception around it.
First Watch: Listen to Brian Honan
on why cybersecurity isn't just an IT problem
The Modern CISO Empowers the Business
Traditionally, CISOs were considered protectors, internal regulators who would prohibit the use of certain communication channels and practices that could compromise cybersecurity or compliance. Today, the primary goal of the modern, connected CISO is to reconcile information security with current cybersecurity innovations.
Case in point: In 2022, US regulators fined Wall Street firms and banks almost $2 billion for allowing their bankers and traders to use WhatsApp. The firms were found to be violating compliance monitoring and recordkeeping regulations, which resulted in the hefty fine for major institutions like the Bank of America Corp., CitiGroup Inc., and Goldman Sachs.
However, this could have been avoided if their CISOs had poessessed visibility into WhatsApp. The modern CISO shouldn’t immediately prohibit such channels for the sake of risk management – but they should demand oversight. They should find a way to enable the use of such channels without adding risk to the organization.
Given the crucial role of these platforms in modern business, finding a way to enable them while balancing the risk factor immediately adds value to the entire business. If all they do is say no, the CMO will end up missing out on a significant opportunity to propel business growth. In some cases, employees might even go against the decision of the CISO and start using said channels anyway, which is about the worst thing that can happen when it comes to both security and innovation.
This challenge inevitably raises the question of how CISOs change the image of security from the ‘department of no’ to leading innovators that inspire every facet of the organization to drive growth. Today’s CISOs are relationship-builders with close ties to every department throughout the organization. Their job is to enable and even drive change by garnering a better understanding of the business problem, and not just the technical and administrative challenges around information security. Security by design is, after all, a process enabled by transparency and mutual understanding. That’s why CISOs need to get everyone on board, holding regular meetings with leaders of other departments, such as CMOs, CFOs, and CCOs. Once they can achieve that, they’re no longer just protectors, but vanguards with the power, knowledge, and experience to lead change.
Technology is a Friend
Enterprises, especially their CISOs, have a responsibility to keep themselves well-informed about cybersecurity innovations that can make the work environment more secure without hindering productivity.
Recent advancements in cybersecurity now allow employees to work securely without being hassled or interrupted. Cyber technology innovations in the form of Natural Language Understanding (NLU) are changing the game by offering seamless security integrations and a smooth workflow.
In an interview with Jill Malandrino for Nasdaq Trade Talks, SafeGuard Cyber CEO Chris Lehman explains how NLU protects enterprises:
“What Natural Language Understanding does is actually look inside of these communication channels and analyze the text of the conversation itself. So we can detect threats that are language-based that traditional security technologies just weren’t designed to pick up or detect.”
Compared to traditional cybersecurity tools, NLU-enabled solutions work in the background, silently dissecting the language-based elements of a conversation, including lexical features, spelling, and topical elements. The messages remain private since there is no human intervention involved in the analysis and evaluation. Only messages that contain speech patterns that suggest phishing, social engineering, or malware are identified and flagged.
CISOs should be aware of and embrace this new kind of visibility across their communication channels, a defense-in-depth approach that secures an enterprise’s tech stack without stifling its users.
Leading through Education, not Prohibition
Most data leaks and breaches are the direct result of negligence. The numbers don’t lie: incidents involving insider threats have risen 44% over the past years, with costs at about $15.38 million per incident. This is partly due to the fact that non-experts often still follow the perception that cybersecurity is all about technology and control, and not about best practices that can be a net positive for the business.
Perhaps, the shortage of specialized cybersecurity skills is itself due to fear. Naturally, a core part of the CISO’s job is just the same as it always has been – technical expertise. However, raising awareness of good security habits has to happen, especially now that the most common threat is social engineering, which exploits human vulnerabilities rather than technological ones. Even once you take the technology layer out of the equation, there’s still a whole lot more to protecting digital assets, and that’s where everyone outside the InfoSec department becomes part of the problem and the resolution as well.
CISOs play an increasingly educational role in today’s business by teaching employees how to identify threats and giving them the right tools for the job. In other words, they leverage technical skills and knowledge to enable the responsible use of technology, instead of putting up a barrier to cybersecurity innovation in a world where social media, cloud computing, and mobile devices are all things that modern businesses cannot survive without.
See our security solution for yourself!