There’s a cybersecurity perception problem in UK business

Cybersecurity professionals have an important job to do, but attitudes in the workplace might be hampering their efforts.
25 January 2019

The ‘doom-monger’ of your organization? Source: Shutterstock

In 2019, the integrity of your business’s cybersecurity has never been more important.

Increasingly sophisticated cybercriminals can sniff out vulnerabilities with ease, posing a multitude of threats to sensitive data, your company’s finances, operations, and reputation.

With more and more systems going online, such as smart HVAC systems and the integration of Industrial Internet of Things (IIoT), hacks can even present a risk to health.

Despite adequate digital security becoming vital, though, a new study suggests that UK business has a perception problem when it comes to the weight of the task entrusted to cybersecurity experts.

In fact, the majority of UK professionals working within the bounds of cybersecurity feel they are undervalued by their fellow workers and employees. At least 63 percent feel their security teams are viewed as organizational ‘naysayers’, ‘doom-mongers’, or a ‘necessary evil’.

According to the report, the trend is continuing to persist despite a growth in the hiring of CISOs and data protection officers following the implementation of the EU’s General Data Protection Regulation (GDPR) in 2017.  

The findings were based on a survey of 100 IT security decision-makers in the UK, who were interviewed on workplace attitudes towards their cybersecurity staff.

The exercise revealed that more than 38 percent believe these specialists are viewed as ‘policemen’, while just over a quarter said they were something that “just runs in the background”, that they don’t really notice.  

The real issue, however, comes when new company-wide measures are to be implemented. Three-quarters (74 percent) reported negativity or indifference regarding the introduction of new security measures and policies.

That’s led to nine in ten suggesting that policy changes might be more easily communicated to management via messaging from other departments, such as Human Resources or Finance.

Over half said security teams felt restricted by the board— an issue exacerbated by the fact that just 41 percent of security teams have a board-level presence, such as a CISO, on the roster.   

Joseph Carson, Chief Security Scientist and advisory CISO at Thycotic, said it was disappointing that security teams were not felt to be valued by either co-workers or senior executives, but suggested the onus might be on the teams themselves to articulate their importance.

“The fact that negative opinions are rife among employees also suggests that security teams need to work harder to communicate the strategic importance of their roles to the business and reinvent themselves as ‘facilitators’ rather than ‘enforcers’ who enable the business to run smoothly,” he said.

According to Carson, one of the main reasons for conducting the study was to find out what is working and what is not.

“We believe organizations need to shift their focus to reducing risk by using cybersecurity techniques, skills and knowledge, rather than seeking to address cybersecurity in general without any tie-in to the business,” he added.

Carson said he didn’t find the results of the study surprising, adding that it’s time for security professionals to present cyber risks in terms of return on investment and the financial cost of the risk.

“The cost of not having insurance coverage in these areas […] these are things that boards and all the departments within the business will understand,” he said.