How to Fix the Broken State of Cybersecurity Culture
Which cultural values empower businesses to thrive today? That’s an open question, of course. But I suspect most employees, managers, and analysts would include items like collaboration, transparency, and creativity on the list of essential ingredients in business success.
Indeed, you could argue that these values are at the core of a variety of modern organizational and technical innovations, from DevOps (which is all about collaboration) to open source software (which centers on collaboration and transparency) and the creator/maker movement (which is, of course, all about creativity).
Yet there is one domain within most businesses where values like collaboration, transparency, and creativity remain suppressed: cybersecurity. Most organizations remain stuck in the 1990s with regard to their security strategies, which tend to be highly siloed, opaque, and not exactly creative or innovative.
Here’s why that’s a problem and how to fix it by turning every employee into a “security creator”.
The Broken State of Cybersecurity Culture
You don’t need to be a CISO to know that security is not exactly working well at the typical business today. You just need to follow the news, which is filled with headlines telling you things like 20 percent of businesses have been breached by ransomware, or that 2021 has been a record-breaking year for security attacks (which is no mean feat, because 2020 was pretty bad on the cybersecurity front too).
There are a lot of reasons why the security strategies of most businesses remain so embarrassingly weak. But chief among them, arguably, is the fact that security cultures are broken. In particular, security is flawed due to:
- Lack of collaboration: Security threats affect every aspect of the business and every employee. Yet, the people who manage security are typically siloed teams of security analysts who have limited communication with the rest of the organization, let alone visibility into the typical employee’s day-to-day operations or priorities.
- Lack of transparency: Likewise, only the elite team of security analysts typically knows about the state of threats. The typical employee has no idea what the security status of a given system is, or whether a known vulnerability or breach has impacted a resource that they rely on.
- Lack of creativity and innovation: The centralization of security strategy and operations around a small team of analysts also stifles opportunities for innovation. While security analysts are certainly smart people, businesses limit their opportunity to innovate on the security front when they limit the number of people who can invent and share ideas for new security initiatives. That’s especially true given that (as we’ve noted) the analysts who manage security have very limited visibility into the needs and priorities of the people who use the systems they are supposed to secure.
To be sure, there have been some efforts to address problems like these. For example, the DevSecOps movement aims to increase collaboration between security teams and other technical teams. But the collaboration stops there: even with DevSecOps, security remains the domain of elite, technical practitioners, not something that the entire business can engage in readily.
Likewise, compliance policies and internal governance rules may require organizations to be more transparent with regard to security risks and disclosures. But those rules typically only come into play following major breaches. They don’t provide employees or customers with much visibility into the state of cybersecurity on a day-to-day basis.
Cybersecurity for Everyone
The real solution to the broken state of cybersecurity today requires thinking beyond just compliance, and beyond the IT organization. It necessitates a cultural shift whereby everyone becomes a security practitioner.
In other words, every stakeholder in the organization needs to be able to collaborate with other stakeholders around cybersecurity, to understand cybersecurity risks, and to share ideas for improving security operations.
This doesn’t mean that dedicated security teams should go away. Security experts will always be needed to lead the charge against cyber threats. But they should no longer operate in a silo, leaving the rest of the organization blind and disempowered when it comes to security.
This concept may seem far-fetched, given the complexity of security and the fact that the typical employee probably doesn’t know what SecOps means, let alone understand complicated security concepts or tools. But we’d point out that the IT industry is already full of examples wherein complex technologies were placed into the hands of the masses with very successful results. For example, consider:
- The open source software movement, which empowered everyone to be a developer — or, if they couldn’t code, at least to collaborate with developers by sharing ideas, reporting bugs, and so on. We now live in a world powered largely by open source software, thanks to the realization starting four decades ago that software works better when development ceases to be the realm of a small, disconnected group of programmers.
- The creator and maker movement, which has been enabled by placing creative technologies — ranging from 3D printers to professional-quality design and publication suites — into the hands of anyone who wants them. Unlike fifty years ago, you don’t have to have a degree in design to be able to build great things today. You just need some relatively inexpensive tools that can unlock your creative potential.
- Computing in general, which has evolved since the mid-1900s from being something that only learned engineers could engage in, to a technology that the majority of the planet’s inhabitants can fit in their pockets.
Torq envisions a similar type of innovation for security. By building a security automation framework that anyone — whether technical or non-technical — can use to full effect, Torq wants to make everyone a security collaborator, sharer, and creator.
That’s the innovation that businesses need in order to move the needle in the face of ever-increasing cyber risks. What we’ve been doing for decades on the security front is clearly not working (if it ever did), but we can fix it with a new commitment to collaboration, transparency, and creativity.