expert
OPINION
What makes the extension of CISO thinking into this area even more remarkable is that it ’ s in the context of cybersecurity automation .
And so far , it ’ s been hard to measure security automation ROI . I can measure ROI ( return on investment ) by automating workflows in a business process ; tasks are completed faster and cheaper . But if automation just keeps everything going without interruption , is that enough of a KPI ?
Is the real ROI for a tech product how good it makes the user feel ?
Well , now we have a better KPI . For the last three years , here at ThreatQuotient we have been polling cyber teams about their experiences , and this year we talked to 750 senior cybersecurity professionals in the UK , US and Australia from big organisations in verticals from central government to retail and financial services .
We found lots of interesting statistics , but for the first time we found respondents putting the HR and people side of cyber ahead of other aspects . This starts with the top three challenges facing cybersecurity teams being framed as insufficient budget , growing regulatory and compliance challenges – but also high team churn rates . Even more strikingly , employee satisfaction and retention has become the main metric for assessing cybersecurity automation ROI for more than 60 % of the survey respondents –
outweighing those older ‘ mean time to resolution ’ measures we have always utilised .
So , the point of investing in cybersecurity automation is becoming less about the straightforward technical and security protection measures . Now , it ’ s to get automation in to help with making the analyst ’ s job easier and so more enjoyable – by getting the computer to shoulder the burden of low value / repetitive activities and release the skilled professional to take on more interesting and fulfilling work .
In strict security terms , think about how nice it would be to not have to click the same eight buttons repeatedly to achieve your outcome , or for it to be easier to work through that bunch of domain names which have been incorrectly blocked that you receive every day .
But from what I ’ m seeing in the sector , it ’ s not just automation of this kind of work that the CISO is looking for help with here . Across multiple industries , companies are now actively looking to improve employee satisfaction , to consciously see how their wellbeing can be boosted and reduce churn .
Personally , I see a lot more change at senior level ; it used to be you would see the same head of security in a job for five to 10 years , but since COVID and us all re-examining what we want from work , people now seem to move or even leave the sector every two to three years instead .
Security leaders also want better L & D ( Learning and Development ) for their people . We asked what the top three most desirable aspects of a new cyber automation product was ; training availability- so making sure people can actually get value out of the product and the technologies they ’ re deploying – came in at a strong second ( 23 %), just behind if the tool can integrate with multiple data sources ( 24 %). But I also hear a lot of employers highlighting support for hybrid working , diversity , flexibility around parenting in their recruitment campaigns – all classic EX concepts that suddenly make sense in this area of tech , too .
Time for our tech culture to get more welcoming and supportive
There ’ s a kind of fascinating contradiction here ; by making automation mainstream , we ’ ve also realised that making routine work simpler has exposed a
42 WWW . INTELLIGENTCISO . COM