With the rise of the digital age, the centuries-old archetype of good versus evil has found its way beyond the literary world and into business, specifically the security function within large enterprises.
As part of some recent IBM research, we interviewed security leaders on a multitude of topics, including top challenges these professionals face. What they revealed definitely echoed a protagonist versus villain sentiment.
While a majority of security leaders cited the emergence of external threats as being at the top of their challenges list, the theme really came into play when one Chief Information Officer characterized hackers as “the bad guys,” designating security leaders as the “good guys.”
While the concept may call to mind an image from an old John Wayne movie, with two cowboys ready to draw their guns and open fire, the comparison actually makes perfect sense.
After all, who are these leaders if not the protagonists in the wild, wild west of security?
Regardless of where CISOs and the equivalent sit within an organization, they are data protectors, individuals who safeguard the company’s most valuable asset: information. These are the good guys who ensure that the bad guys don’t have a chance to “sneak into your network and steal things,” as one CISO put it – an issue that has become more and more relevant with multiple hacking incidents brought to light in 2014 alone.
But how does a protagonist fight the “increasingly sophisticated” villains who, on top of everything else, are also now “more and more motivated by monetary gain?” asked one Global Head of Cyber Security.
This brings us to the next top two challenges the good guys face: getting buy-in for security initiatives and securing the budget.
The right arsenal
In some ways, these obstacles are the same as those faced by other parts of the business; nevertheless, they remain constant struggles for security executives. For buy-in, in particular, CISOs strive to garner broad support prior to an implementation in order to avoid problems later on. This is a formidable task considering that, as one CISO pointed out, “You’ve got to get everybody on board, from the employee farthest down on the food chain all the way up to the CEO of the company.”
Although reports of increasing external threats have risen in the media, security leaders still face the challenge of convincing users that security is necessary. As one Chief Information Officer admits, “I spend much more time selling it than I do installing it, meaning that our users do not want it. As much as I try to explain it to them, they could care less about security.”
It’s not a surprise then, that securing funding is another major hurdle. And it’s not just about getting the right budget. It’s also about balancing risk against cost, because as this one Director of Information Security reminds us, the good guys “rarely have the limitless resources that the bad guys do – in fact, the good guys usually have to compromise.” He goes on, “Once you understand that you’re not going to get your way 100 percent, you have to figure out what is acceptable to you. What is your risk tolerance?”
Another CISO reveals that persuasion plays as much a factor in budget approval as it does in getting buy-in. “Security is not a cheap thing,” he stressed. “It’s very expensive to stay secure. I have to do a lot of convincing at the executive office in order to do what I think is necessary to keep things safe.”
However, despite the multitude of obstacles security leaders face, there is a silver lining. In recent years, security has grown increasingly prominent within large enterprises. This is a notable step in the right direction since a seat at the executive table creates opportunity to mitigate some of these challenges.
And sometimes it’s these very challenges that make the job so attractive to security leaders. One CISO reiterated the sentiment of many of his peers: “It’s an exciting time to be in information security. You don’t have to look any farther than the closest newspaper to see the threats that are out there, and I like being part of something to combat that.”
This is quite reassuring. After all no one wants a hero who doesn’t want to save the world…or in this case, combat the ever-evolving challenges and bad guys within the world of security.
To learn more about the evolution of security in the IBM Center for Applied Insights’ latest Chief Information Security Officer study.