I was reading an article in CPO magazine that discusses how, despite ever-growing cybersecurity challenges, organizations are falling short in addressing the issues. Two pieces of information from the article highlight topics that deserve our attention.

First one is that the leading cause of cybersecurity breaches was non-malicious user error. The other is that organizations need help finding and retaining cybersecurity staff.

Your most significant cybersecurity risk and potential threat do not come from outside your organization. Instead, it originates from within your organization due to employees mistakes while taking care of the business.

Non-malicious user error is mainly a training issue, and more importantly, it is an issue that requires employees to care enough about their company to make cybersecurity a priority. Caring about the business is tough when employees don’t feel empowered, which is a growing issue today. Employee loyalty is waning, as we have all witnessed this at some point. Employees can be trained, but making them care is about empowerment, which brings me to my second point.

Cybersecurity professionals have many work opportunities available if they want them. Over the last decade or more, cybersecurity practitioners have become true specialists and more professional. Now one thing a cybersecurity professional would like to avoid is when they have painstakingly discovered the issues, but the organization refuses to implement the changes and fixes that are recommended.

I believe that these two issues are tied to each other. The lack of security impact happens often enough that I can guarantee EVERY professional reading this can likely come up with dozens of examples. So basically, nobody who takes their work seriously wants to be the token security guy or gal or a trophy for a company to talk about when someone asks them what they are doing about cybersecurity. 

If they complain enough to management, boards, and CXOs about this, they either get marginalized or perhaps even laid off. Or they leave on their own, looking for a place where their work matters. Now you have a disgruntled ex-employee out in the wild who has a deep and intimate knowledge of your cybersecurity shortcomings, and unfortunately, news travels fast in cybersecurity circles. People do beer bashes at a conference, and suddenly pieces of unflattering information start slipping out. I have seen this happen even at a CXO level. 

So what does this all mean?  Well, for one thing, it means that if you are an organization that is going to the trouble to find the best and brightest to do a job, you have to empower them. Otherwise, you end up putting your organization at higher risk down the line when the information about the weaknesses gets “leaked.”

Empowering cybersecurity people to fix the problems they discover is good for their retention and insurance against trouble that may arise a year or two after they depart.