I’m excited about the publication of my latest research for security and risk pros that takes on a problem as old as time, or at least as old as cybersecurity: the silos that exist between technology and security teams.
How big is the problem? Officially, it’s not — according to numerous global technology decision-makers we survey, cybersecurity is a top priority. Unofficially, though, from my own experience, and from the experience of almost every security professional I know, there is a problem. If we were playing a game of “Never Have I Ever” in a professional context, and I took a turn listing “Never have I ever formed an unbreakable alliance with the technology team” as my experience, there would be a room of largely sober CISOs.
Not only is this tension the cause of significant stress to CISOs and tech leaders (and their teams), but in any situation where you’ve got people busy fighting with one another and pointing fingers, then at a very practical level, the work is not getting done. In this instance, this work is the cybersecurity posture of the organization — it is taking a back seat as a result of these silos.
Why This Research? Why Now?
We kicked off this research because we observed, through other research projects and from speaking to our CISO and tech exec clients, that this problem somehow took a southward turn in the last 18 months. It kept on getting mentioned in hushed tones on inquiries and guidance sessions as a reason for not being able to move to an agile environment, to obtain and report on meaningful metrics, or to execute on Zero Trust promises, as well as general ranting about “the other side.”
We observed that one significant factor behind the widening rift is reconfigured reporting lines — as recently as 2017, 60% of CISOs reported into technology, compared to 33% today. This means that the small number of tech execs who are still responsible for security are having to navigate an increasingly complex threat landscape, deal with an evolving discipline outside of their core set of expertise, and report to the board on this topic. The remaining 67% of tech execs with no direct responsibility for cybersecurity still find themselves accountable for implementing and operating a big part of security controls — the worst of all worlds.
Before we dived into the solution, we wanted to be very clear about the root cause of the silos. In conducting this research, we decided to listen to the tech exec’s side — a side that many of us in security haven’t had the opportunity to explore in details.
The learning was humbling: Few tech execs we spoke to reported positive relationships with their CISOs; most were lukewarm to outright hostile. The relationships fell into three categories: positive but conditional (better where the CISO reports into the CIO or the CIO coleads security and tech); neutral (with the CISO largely seen as technology-focused); or outright hostile.
There Are Different Sides To The Story
Tech execs told us that they contend with competing goals, a complete lack of pragmatism, and a “sky is falling” mentality from their security counterparts or direct reports. They mentioned that they feel criticized, as though they’re having dirt thrown at them or being told that their baby is ugly.
Conversely, they were not always aware of the challenges facing CISOs and security teams: the CISO Da Vinci fallacy, burnout, and talent gaps, to name a few. Motivations and past traumas don’t excuse anyone’s current behavior, of course, but understanding them gives you a different lens on their past and can help you work toward a better future.
How Do We Solve This? Can We Solve It?
Left unaddressed, negative dynamics will fester, causing serious personal, professional, and business harm to all involved. You can hope that these relationship problems will go away — or address them head on.
While we didn’t have a firm hypothesis for the solution, we expected to explore matters such as cocreated technology/security strategies, better processes, and governance to align the teams and different technologies to enable tighter integrations between the two functions. We couldn’t have been more wrong. While, certainly, people, process, and technology matters came up repeatedly, the research ended up taking a plot twist!!!
The themes emerging from those tech/security exec pairs who found and/or wished for harmony revolved around two significant, yet often confused to be nebulous and squishy, words: empathy and trust. Luckily, we know from Forrester’s data-driven research into both empathy and trust that they are concrete and can be built.
Read our research (Forrester client access only) to see how to exercise empathy and make trust concrete in order to build an alliance between tech and security.
Spoiler alert: The research contains a trust relationship evaluation, complete with a scorecard, and specific actions to build, repair, improve, or elevate your relationship. If that scares you a little, because of, well, the words “relationship” and “evaluation,” think about it this way: More than 2 million of us take the Myers–Briggs evaluation annually without blinking. Unlike other corporate-type evaluations, this brief trust relationship evaluation is focused not only on yourself but on your peers and on building a successful relationship with them. I know that we are technologists working in security and technology teams, but we are also all humans doing human things in a social context. Yes, even work is still fundamentally about human emotions!
Let’s Connect
Forrester security and risk clients who have questions about how to build, improve, repair, or elevate their relationships with their technology counterparts can reach out to me via inquiry or guidance session.