For years, many CISOs have spoken about the need to treat cybersecurity as a business issue rather than an IT problem. Big-name threats, costly breaches, and major outages have brought security to the forefront of business discussions. Finally, things are starting to shift, with 88% of boards of directors saying they view cybersecurity as a business risk. (1) But the integration of security and business is still ongoing. Silos between departments, misaligned goals, and even the internal perception of security are keeping it from its full potential.
Executive accountability has begun to move upwards as security spends more time in the spotlight. Currently, the CIO is the highest person accountable for security in 57% of organizations, (2) which has often kept security within the domain of IT. However, Gartner predicts that 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026. (3) This should go a long way to increase security involvement across the C-Suite.
But for now, silos between the CISO and other leaders remain an issue, with surveys of both security and non-security executives finding consistent response gaps that suggest a disconnect. (4) Better alignment of department goals could help close this gap. 85% of CISOs agree or strongly agree that their cybersecurity strategy is developed with business objectives, such as growth or market share, in mind. (5) However, other teams may not be considering security strategies when crafting their own.
Part of this may be due to how those other teams view security. Traditionally, security has been seen as the organization’s protector, building and maintaining fortress walls to keep out attackers. Sometimes there’s a less charitable view of security as a barrier, always telling people “no” or placing limits on what they can do. This has led to some groups attempting to shut out or even bypass security in their organizations.
CISOs have long trod a fine line of security and usability in their organizations. Leaning too far towards the security side can result in friction for both employees and customers, which also runs the risk of encouraging them to circumvent security measures. But not going far enough can result in major damage, as the average cost of a data breach reached $4.35M last year. (6)
Another common concern is that security slows things down, especially for software developers. In traditional DevOps processes, security can sometimes be an afterthought. It’s brought in near the end of the process, which can lead to delayed releases or post-deployment fixes. That’s why DevSecOps is gaining prominence—by embedding security throughout the lifecycle, issues are found at earlier, less disruptive stages that avoid delays.
DevSecOps is a great example of how integrating security improves the overall process. What could happen if security took a similar approach with other parts of the business? In order to find out, that traditional view of security needs to change. By making a concerted effort to eliminate silos, build trust, and embed security into all parts of the business, you can shift security from its current role of protector to become a business enabler that contributes to growth and innovation.
To learn how you can change security’s view in your organization to reach its full potential and how Taos can help you get there, read our latest eBook: From Protector to Business Enabler: Reframe the role of security in your organization.
Sources: