The CISO Report – The Culture Club

According to the Cyber Security Skills in the UK Labour Market 2023 report released by the UK government, 50% of UK businesses face a fundamental cyber security skills gap, while 33% grapple with an advanced skills gap. This is just one of the challenges that the Chief Information Security Officer (CISO) must face. While these figures remain similar to 2022 and 2021, it’s evident that there’s still work to be done to bridge the expertise divide.

Interestingly, the ClubCISO Security Maturity Report 2023 also highlighted the fact that the shortage of talent is of key concern to CISOs. According to this report, it is this shortage of skilled security professionals that is making it difficult for organisations to find and hire the talent they need. We shall return to this topic shortly, but let’s take a closer look at this valuable resource for CISOs.

The ClubCISO Security Maturity Report

The first thing to note is that this report is based on a survey of 182 information security leaders in the EMEA region. The report provides important insights into the current state of information security and the challenges and opportunities that security leaders face.

The report holds critical importance because it highlights where we were, where we are, and where we are headed, and focuses on more than just technology. It gives us an insight into the risks, the people, the technology, and the cultural aspects of information security. This is something which is often absent from similar surveys and reports, yet in this report, the word “culture” appears 84 times, compared with “technology”, which appears just 25.

Surprising results

Of course, some of the findings, such as the lack of available talent are not a surprise. However, it may come as a surprise that despite what we hear in the media, there were fewer material cyber incidents and breaches across the respondents’ organisations in 2023, compared to 2022. Does this mean we can reliably say that we are winning the war on cybercrime? I very much doubt it.

What is happening is that we are getting better at communicating the importance of security and data protection, leading to more support from the C-Suite. The report echoed this as respondents stated “Leadership endorsement is the most impactful factor in improving security culture.” This once again demonstrates that Bruce Schneier was accurate when he said, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

The use of the term “security culture” is important because, for decades, this is what we have been striving for. Clearly, the message is getting through. But what message?

Cultural Shift

The report highlighted a number of key challenges facing organizations in the EMEA, which are clearly now being discussed in the C-Suite. These challenges include the level of regulatory compliance that organisations now face, especially those operating in these regions. In my opinion, the General Data Protection Regulation (GDPR) is still a massively misunderstood piece of legislation that organisations need help with, yet, the C-Suite recognises the importance of it.

Added to this is the ongoing threat cybercrime, as organisations large and small are facing an increasing number of cyberattacks, including ransomware attacks, data breaches, and Distributed Denial of Service (DDoS) attacks. Cybercrime-As-A-Service is a very real risk that organisations now need to contend with.

This is all leading us towards a change in attitudes about information security and data protection, where they are respected as important topics within the organisational structure. This is where the report hints that the secret to success is within cybersecurity and something which every CISO should be aware of.

Cultural Respect – The Secret Sauce

To embed cybersecurity and data protection within an organisation, you do not look to build a security culture, but rather, you look to build a culture that respects the importance of Security.

This is a simple, yet profound distinction. Every organization possesses a culture, which might either emerge naturally or be intentionally and meticulously developed. Regardless of its origins, the influence of this culture on an organization remains undeniable. Whether the culture has a positive or negative effect relies on its interaction within the existing environment, making it both a potential risk and a valuable asset.

If every organisation already has a culture, trying to change it is like trying to swim upstream and will be incredibly difficult, leading to what I refer to as “the fatal 3-Fs’” – frustration, fatigue and failure.

Conclusion

This report is essential reading for CISO’s, but do not simply take the facts and figures on face value. Look beyond the statistics and understand what it means to you and your organisation. Review the section on culture carefully, including the answers to the question related to “What has been the most effective at fostering a better security culture over the last 12 months within your organisation?” and “What most negatively impacted security culture over the last 12 months within your organisation?” The answers to these questions alone should help you formulate a strategy for how you will develop your security programme, and move towards a more secure organisation.

Finally, I started this post talking about the skills gap, and here’s the controversial piece; I don’t believe there is a skills gap. Every day I meet or speak to someone who is trying to break into the industry, so how can we have so many vacancies?

I believe there is no skills gap. There is an expectations gap. There is a gap in our perspective. But there are ample people out there with the skills you’re looking for, but you’re looking for the wrong things.

We need to establish a baseline of skills that we expect someone to have, and we should test people against them. We need to hire people with the values and characteristics that fit within the culture of our organisations. These cannot be built or trained, and therefore we should hire people based on who they are, not on what they know.

By hiring based on soft skills and character, we will develop a diverse business culture that supports what we are trying to achieve, and will ultimately lead to the utopian security culture that we strive for.

The ClubCISO report emphasises the importance of this as it states clearly that CISOs feel their main barrier to meeting their objectives is insufficient staffing. As indicated in the report, “In an effort to fix this, over 95% of organisations are trying to retain talent and recruit new staff, with a particular focus on hiring for diversity to strengthen teams and bring different perspectives into the business.”

By doing so, we can solve the issue of the perceived skills gap AND help build the security culture we are striving for.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.