I saw this article when I was looking for something more technical, and it raised a few points in my mind about a 'corporate mentality' when approaching cybersecurity.
I share the opinion of the author in placing the onus on all parties to integrate security into common corporate practice. However, there are always questions about where companies should draw a line to determine risk vs cost-effectiveness. And it is natural to question the need for more IT 'hoops to jump through' for the average employee when all he/she wants to do is the seemingly innocuous (word-processing, accessing documents, sharing files internally etc.).
This article (rightly) calls upon the CISO to engage with stakeholders in different company environs and determine how cybersecurity can work for and with the organisation. As opposed to hindering productivity by imposing the implementation of 'solutions' to cyber problems only the IT team knew they had.
It is up to each respective department within an organisation to discuss minimising the impact of IT changes, and to determine what (if any) concessions will need to be made in the name of security.
The potential harm to an organisation from a breach or cyberattack is ever more visible to stakeholders outside of IT as time goes by, and the level and sophistication of such attacks is only growing. The CISO role has matured from perennial naysayer to thought leader. Now the responsibility lies with CISOs to use their position and organisational network to encourage such discussion. Furthermore CISOs need to evolve security processes that promote the success of the company and allow it to continue running whilst protecting that hard-earned revenue.
Any corporate environment that cannot encourage this cross-discipline relationship is risking too much – either in lost productivity, or in the fall-out from a breach. Either way, they are only geared up to lose revenue.
Yes, security is inconvenient, but it need not be a source of constipation. Instead of wrapping the employees in InfoSec cotton balls, the CISO should be bringing the stakeholder to the table. The processes and procedures evolved by the IT and InfoSec teams should be to enable and promote the success of the sales, marketing and all others. InfoSec is a revenue preservation part of the equation and thus a valued cost center.