I am pleased to publish my latest research for security and risk professionals, which addresses a problem that is as old as time, or at least as old as Cybersecurity: the silos that exist between engineering and security teams.

How big is the problem? Officially, it isn’t – according to numerous global technology decision makers we interview, cybersecurity is a top priority. Unofficially, however, from my own experience and the experience of nearly every security professional I know, there is a problem. If we were to play the “Never Have I Ever” game in a professional context and I were to list in turn as my experience, “I have never formed an unbreakable alliance with the technology team,” the room would be filled with mostly sober CISOs.

Not only does this tension cause significant stress for CISOs and engineering leaders (and their teams), but in any situation where people are arguing and pointing fingers, on a very practical level, the work is not getting done. In this case, that work is the organization’s cybersecurity posture – it’s getting pushed to the back burner because of these silos.

Why this research?

We launched this research because we’ve noticed through other research projects and conversations with our CISO and tech executive clients that this issue of silos between security and tech teams has somehow taken a U-turn over the last 18 months. It’s been mentioned repeatedly in hushed tones in inquiries and consultations as a reason for not being able to move to an agile environment, get and report meaningful metrics, or implement zero trust promises, and there’s also been general moaning about “the other side.”

We found that a key factor behind the growing gap is reconfigured reporting lines—in 2017, 60% of CISOs reported to technology, but today that number is down to 33%. This means that the few tech leaders still responsible for security must navigate an increasingly complex threat landscape, grapple with an evolving discipline outside of their core competency, and report to the board on the issue. The remaining 67% of tech leaders who are not directly responsible for cybersecurity are still responsible for implementing and operating a large portion of security controls—the worst of all.

Before we started looking at the solution, we wanted to understand the root cause of the silos. In this investigation, we wanted to hear the perspective of technical leaders – a perspective that many of us in security have not yet had the opportunity to explore in detail.

The realization was humbling: Only a few tech managers we spoke to reported positive relationships with their CISOs; most were lukewarm to downright hostile. Relationships fell into three categories: positive but conditional (better if the CISO reports to the CIO or the CIO co-leads security and engineering); neutral (with the CISO largely viewed as technology-focused); or downright hostile.

Different sides of history

Technology executives told us they struggled with competing goals, a complete lack of pragmatism, and a “sky is falling” mentality from their security colleagues or direct reports. They mentioned feeling criticized, like they were being thrown dirt at or told their baby was ugly.

Conversely, they were not always aware of the challenges facing CISOs and security teams: the CISO Da Vinci fallacy, burnout, and talent gaps, to name a few. Motivations and past traumas obviously don’t excuse anyone’s current behavior, but understanding them will help you see your past with different eyes and work toward a better future.

Solution to the problem

If left unaddressed, negative dynamics will continue to fester, causing serious personal, professional, and business damage to everyone involved. You can hope that these relationship problems will go away on their own—or address them head-on.

While we didn’t have a firm hypothesis for the solution, we expected to explore topics such as co-developed technology/security strategies, better processes and governance to align the teams and different technologies and enable tighter integration between the two functions. We couldn’t have been more wrong. While questions about people, processes and technology kept cropping up, the research ended up taking an unexpected turn!!!

The themes that emerged among the tech/security leadership pairs who found and/or desired harmony revolved around two important but often confused words: empathy and trust. Fortunately, we know from Forrester’s data-driven research on empathy and trust that they are concrete and can be built.

Originally published in Forrester