Pandemic lockdowns were a catalyst for many changes. Across the region and around the world, isolation acted as the social equivalent of sensory deprivation to set many new trends in motion. People reexamined their compassion, and this showed up in surveys, and in a renewed interest in ESG (environment, social, governance) issues. People also reexamined their own ambitions, leading to the Great Resignation. So, in short, whether it was themselves or others, people started thinking more about people.
This extends to the region’s business stakeholders. Today, in all roles, we see a greater emphasis on the employee experience. After all, how can we protect our internal talent pool from the Great Resignation if we do not meet employees halfway? EX is often thought of in the context of digital transformation. We must empower employees with the tools they need to be productive and inspired and challenged and satisfied. Of course, any HR executive knows we must go further. All aspects of the employee’s work and home life must be accommodated. Management at all levels must enable and monitor the new concept of “bring your whole self to work”. Interdepartmental disputes must be handled with poise and care. And one such age-old dispute that is coming to the fore in the new hybrid workplace is the one between cybersecurity professionals and literally everybody else.
In the context of the digital estate — and its sensitive data and critical workloads — security professionals are police officers, spies, firefighters, and doctors, all rolled into one. But to their colleagues, they are seldom seen as heroes. To many security professionals — a vital talent that digital businesses must learn to attract and retain — it must seem as though they are only noticed when an adverse incident occurs or when they are trying to educate colleagues on best practices. Ironically, others tend to blame them for the very incidents they were trying to prevent by urging best practices.
Productivity vs. risk
The sad truth is, security best practices can be irksome to someone whose role does not include risk management. Their productivity — enabled by the data and workloads that cyber-professionals are committed to protecting — must come first. So, they take shortcuts or ignore advice, leading to further confrontations.
It is time for a culture change, and its champion must be the CISO. Their role in the new complex and fast-paced IT environment must be to engage and support rather than police and enforce. The technology suite has changed. Employees, wherever they work, are having to come to terms with delivering their output efficiently and reliably in an unfamiliar work environment. When members of the security team tell them they are doing something wrong, they tend to disagree. It is their job to get these invoices sent by 5pm or to make this customer happy or to prepare that report; it is security’s job to keep them safe while they do it. So why is security telling them they are in error? Shouldn’t security be the one to deliver… security.
This is the mindset the CISO and their team must overcome. Something has to give, and security can be the one to extend an olive branch by dispensing with the practice of telling users how much work they have created for security personnel and instead adopting a more conciliatory approach. Adversarial discussions even take place between security and their fellow technologists. Nowadays, the ability to rapidly churn out enhancement after enhancement to digital experiences is how DevOps teams prove their worth. But security teams may express concerns about the lack of governance in the development process, which leads to conflict.
‘Quickly, quickly’ vs ‘softly, softly’
The transition is a difficult one. Security teams are trained to react to risk. And if they determine that a colleague is the source of that risk then every instinct in them will press them to comment, whether face to face, by email, or by some other means. Agility is important to the modern digital business. The threat of losing it can be as existential as that of any ransomware attack. DevOps teams and other departments must work fast to get the next big thing out to market.
Such rapid scrambles are a stark contrast to the slow and steady “softly, softly” methods of cybersecurity specialists. However, CISOs must acknowledge that times have changed. DevOps is not the future — it is nothing less than established dogma for the digital business. It is impractical to get security’s sign-off on every project before it is deployed to the wild. First, there are often too many projects and too few security professionals in an organisation to allow it. And secondly, the modern development process is so fluid that each security analyst would almost have to work full time on approving change requests for a mere handful of solutions.
The best way to overcome this is to have more day-to-day involvement by security analysts in the methods DevOps teams use to build and ship so that DevOps becomes more autonomous with regard to the implementation of security best practices. The CISO must form new relationships where their team members become contributors rather than gatekeepers — going beyond their core mission to be enablers of productivity and innovation within the digital experiences themselves and empowering the right people with the right tools at the right time.
And so, culture change. It is taking place across the region’s enterprises and even within its governments’ agencies. A realisation has swept industry after industry that attitudes must be transformed before we look to our digital abilities. This will be challenging for CISOs and their teams, entrenched as they are in the methodology and processes of risk-spotting. But if they instead prioritise the building of strong relationships, they may find many more paths to the safety they are sworn to provide.
