Overlooked and underappreciated? IT security professionals are suffering from an image problem
New research from Thycotic reveals IT security professionals feel they are seen as the 'doom mongers' or a 'necessary evil' by employees.
The majority of UK IT security professionals feel they're suffering from an image problem among fellow workers, according to new research commissioned by Thycotic, a provider of privileged access management (PAM) solutions for more than 10 000 organisations worldwide.
Nearly two-thirds of respondents (63%) feel their security teams are either viewed as the company naysayers, specifically either 'doom mongers' or a 'necessary evil' (36%). Also, 27% of respondents said company security and security professionals are just something that runs in the background which employees don't really notice.
The research, conducted with 100 IT security decision-makers within the UK, revealed that more than a third of respondents (38%) believe they're viewed as the 'policemen'. Worryingly, when asked if they'd ever experienced negativity towards their team and their work, 13% said this happens 'all the time'.
Almost three-quarters (74%) of security professionals reported negativity or indifference regarding the introduction of new security measures and policies, with employees believing it will hamper their work (35%), or barely noticing them (39%).
Security professionals are also struggling to promote their value to other departments in the business. The overwhelming majority (90%) believe other departments could have a better understanding of what they're trying to achieve, while an equally high majority (88%) feel it could be easier to communicate their views to executive management in other functions such as HR and finance.
Execs feel board perceives them as functional, not a force for competitive advantage
When it comes to how they're perceived by the C-suite, there are further challenges: 56% feel they're restricted by the board, which may be accounted for by the fact that only 41% of organisations have a CISO in place on the board. While the security team can be instrumental in business transformation, only 44% believe the C-suite sees them as a positive force for innovation and just one in 10 respondents (13%) believe the board sees them as helping the company to gain a competitive advantage.
It also suggests boards may be paying lip service to IT security teams, as there is a disparity between what the board says and how this translates into investment. While 87% of security professionals believe the board listens to them and values their input, a considerable proportion (62%) believe the board can't always see the business case for security investments.
Commenting on the findings, Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic, notes: "At a time when security teams are under huge pressure and play an increasingly strategic role within the company, it's disappointing that they're not feeling valued either by their co-workers or by senior executives. The fact that negative opinions are rife among employees also suggests that security teams need to work harder to communicate the strategic importance of their roles to the business and reinvent themselves as 'facilitators' rather than 'enforcers' who enable the business to run smoothly."
He continues: "Clearly instrumental in this will be achieving a greater representation of CISOs at board level and improving cross-departmental communications."
For more information, please go to: https://thycotic.com/resources/cyber-security-executives-survey-report-europe/.
Thycotic commissioned independent market research specialist Vanson Bourne to undertake the research. Vanson Bourne interviewed 200 IT security decision-makers in November 2018 on the position and reputation of IT security departments in companies.
The sample comprised 100 respondents in Germany and 100 in the UK with at least 1 000 employees or more from a range of private and public sectors. Interviews were conducted online using a rigorous multi-level screening process to ensure only suitable candidates were given the opportunity to participate.