I just got done looking at an article in CPO magazine that discusses how, despite ever growing cybersecurity challenges, organizations are falling short in addressing the issues. The article goes on to cite various interesting statistics, but two pieces of information really stood out. One is that the leading cause of cybersecurity breaches was non-malicious user error. The other is that organizations are having a hard time finding and retaining cybersecurity staff. 

This illustrates a couple of very important issues, and the main issue is that your biggest risk and potential threat does not come from outside your organization, but instead from inside your organization…or as a result of mistakes made within the organization that carry forward. Let me explain. 

Non-malicious user error is a training issue, and more importantly it is an issue that requires employees to care enough to make cybersecurity a priority. This is tough to do when the employees don’t feel empowered, which is a growing issue today. Employee loyalty is waning as organizations continue to slash costs to make shareholders happy, and they are also experiencing massive burnout due to changing workloads and working conditions (Business Wire Release). We have all witnessed this at some point. Employees can be trained, but making them care is about empowerment, which brings me to my second point. 

Cybersecurity professionals have lots of work available to them if they want it. What has happened over the last decade or more is that cybersecurity professionals have indeed become true specialists, and have certainly become more professional as university programs and certification programs, such as ones offered by SANS and ISC2 have become more prevalent. Now one thing a cybersecurity professional does not like is when the organization simply refuses to implement the changes and fixes recommended by the cybersecurity professional has painstakingly discovered. This happens often enough that I can guarantee EVERY professional who is reading this can likely come up with dozens of examples. So basically nobody who takes their work seriously wants to be the token security guy or gal…or trophy for a company to talk about when someone asks them what they are doing about cybersecurity. Please bear in mind that this is my opinion as a security professional and one I know from personal interactions is shared by many like me. Now if they complain enough to management and boards and CXOs about this, they either get marginalized or perhaps even laid off…or maybe they just leave on their own. Now you have a disgruntled ex-employee out in the wild who has a deep and intimate knowledge of your cybersecurity shortcomings, and unfortunately, news travels fast in cybersecurity circles. A few beer bashes at a cybersecurity conference and suddenly pieces of information start slipping out. I have seen this happen even at a CXO level. 

So what does this all mean? Well for one thing it means that if you are an organization that is going to bother to find the best and brightest to do a job, if you don’t empower them what you really end up doing is putting your organization at higher risk. Just like going to the doctor and receiving a diagnosis about a health issue and doing nothing to address is likely to lead to a bad outcome. However, in addition to the bad outcome from not addressing the risk, there is an additional risk that comes about when the health information gets “leaked.”

Food for thought…