Overzealous security professionals and solution vendors are adding complexity to the information security industry, which impacts solution adoption and the overall security posture of the business, says Duncan Rae, group CISO at JSE-listed Pepkor.
Rae will discuss this issue in his presentation at the 20th annual ITWeb Security Summit 2025, on 28 May, at the CTICC in Cape Town.
According to Rae, the InfoSec industry often makes cyber security out to be complicated and difficult to pin down – and this fuels mistrust between the security team and other departments.
“The senior executives don’t usually enjoy meetings with the security team.” adds Rae.
“This is because there is an expectation that the session will inevitably involve a request for even more budget or some other reason why doing something innovative or interesting is not a good idea or adds too much risk,” Rae explains. This is usually met with reservation by restless decision-makers and only fuels mistrust.
“The difficult thing for them is that we don’t communicate well and are often seen as shady car mechanics who just want more people or tech, but no one wants to be the person who denied the security team budget that resulted in us getting hacked,” Rae explains.
This mindset is pervasive, says Rae, and it's why he is working hard to change the narrative. “We really do struggle with that kind of trust… I’ve been working to try make sure when we have those sessions, we are not just coming to ask for money, we are coming to talk about the business – what is your top priority, what goal are you trying to achieve, what is your mission and strategy.
“It’s about showing that you really have the business’s best interests at heart, are rowing in the same direction and not just trying to build a big security empire or get the latest top right Gartner quadrant toy.”
But the objective is not only to change the narrative, says Rae. It is critical that the information gained from these consultations is brought into the security strategy.
Fearmongering
Rae believes a significant part of the problem is that security vendors – driven by targets and profits – often approach the legal teams, auditors, those in finance, risk or marketing and use fearmongering to sell products.
Those approached, who are not necessarily equipped to be able to make the decision, then go on to purchase technology that perhaps their organisations are not yet ready for.
“Data leakage prevention (DLP) tools is my prime example of this. I’ve seen it multiple times where very enthusiastic sales people from a security vendor come in and sell an expensive product that the company is no way near mature enough for… and then the poor IT team must deploy it. It breaks the business, irritates staff (which drives more risk as they just work around this new control) and hurts trust,” says Rae.
"The challenge is to ensure whoever is in discussions with the business – whether it’s me, my team, a vendor, reseller or distributor – that they have the business’s best interests foremost in their minds.
“We haven’t done a good job – as an industry – in building this trust. We’re the ones to blame because we perpetuate this. That’s a perception I am desperately trying to change in my organisation and so I think it is worth talking about.
“Security should never be done to the business, it should be done for the business.” Rae adds. “This is an attitude on the security practitioner’s side and it’s also in the way we communicate. Communication is very important and the most important skill for any leader in InfoSec.”
Click here for more information about the summit and to register.
Share