Why cybersecurity fails

Intro

Even before the pandemic and challenges of remote work, the surge of cyberattacks, and overall surging uncertainty, cybersecurity management was considered a stressful job. Quite a few publications (e.g. [1], [2]) have appeared over the last couple of years, highlighting this topic. The articles discussed emotional burnout and depression spreading across the industry managers and suggested that action should be taken.

While it’s never a bad idea to attract some attention to a growing concern, the reasons that journalists used to justify the issue are far from being specific to the cybersecurity. Inadequate funding, being understaffed, and under pressure due to the rapidly changing environment is a pain for every other department out there.

I will try to elaborate on the real combination of challenges that information security professionals face.

Infinite source of expenses

Long story short. Security is expensive and requires a constant flow of funds to remain current and effective. I have led security programs worth millions of dollars, yet we always had a long roadmap in front of us, not to mention the operational and maintenance costs. Cybersecuirty leadership really needs to be a budgeting ninja to prioritize the needs of the department and balance them with the sponsors’ generosity limits.

Impediment to the processes

Do you like traffic lights or border control inspectors? Nobody does. This is how enterprise security looks like for most people: tons of stupid rules and hypothetical dangers.

Unfortunately, security is seldom an enabler. More often than not, when something gets more secure, it also gets slower, less convenient, and more complex. Moreover, security is always more expensive than insecurity (in terms of money, time, and other resources). That’s why security must stick to ‘just enough‘ level.

Omnifocus

To be effective, security programs must permeate companies in all dimensions. Consequently, the number of relevant stakeholders grows exponentially, and the majority of them are probably resistant. Like, who wants to deal with more impediments and focus on negative scenarios?

C-level, management and staff, subcontractors, vendors, clients, etc. Every dimension, process, or entity must, at least, be analyzed from the risk perspective. This is a lot of complex work to do.

Little power, a lot of accountability

While being called a 'strategic priority', cybersecurity leadership seldom carries a lot of power outside of its own domain. Thus, it's doubtful that, say, a CISO can pressure any person within the organization just because of his/her role.

That’s why leading standards and institutions emphasize the importance of a top-down approach to cybersecurity. The CEO and the board must approve and support a cybersecurity program, preferably by showing some good personal examples of compliance.

Permanent uncertainty

The products of security management are risk controls, not the state of safety or security. There is no such thing as “complete security” or a risk-free environment. Risks always remain, threats evolve, and attack surface change.

Focus on negative

For humans, it is tough to stay alert and watch out for danger for long. It causes stress, fatigue, and elevated blood pressure. At the same time, the role of cybersecurity leadership is to prevent security incidents from happening, which implies a constantsearch for weak spots and potential failures. It’s very easy to get paranoid and acquire various professional deformations while being involved in constant risk identification and re-assessment. Considering the constraints that we have already discussed, burnouts look inevitable.

It looks frustrating and gloomy, right? But bare with me, and in the next post, I will talk about the approaches one can take to regain control and live happily once again. Subscribe now to know more about that.

P.S. Thinking about information security does not only make CISO and his/her team suffer. Several scientific studies show that regular users also feel stressed and unsafe due to 'elevated awareness'. Want to know more about it? Yet another reason to subscribe!