UK businesses are failing to get value out of cyber security because they fail to see its strategic importance and often have a negative attitude towards security professionals, a study has revealed.

The majority of UK IT security professionals feel that they are underrated by their fellow workers and employers, according to a study commissioned by privileged access management firm Thycotic.

Nearly two-thirds of respondents (63%) feel that their security teams are either viewed as the company naysayers, “doom mongers” or a “necessary evil” (36%), despite the fact that more companies are hiring CISOs and Data Protection Officers in response to new risk frameworks in data protection regulations, such as the GDPR.

Being seen in a negative light

Some 27% of respondents said security professionals are just something that run in the background that employees don’t really notice.

The research, which was conducted with 100 IT security decision makers within the UK, revealed that more than a third of respondents (38%) believe that they are viewed as the “policemen”, with 13% saying that they continually experience negativity towards their team and their work.

Almost three-quarters (74%) of security professionals reported negativity or indifference regarding the introduction of new security measures and policies, with employees believing it will hamper their work (35%) or barely paying any attention (39%).

Not being valued by the board

Security professionals said boards perceive them as functional but not as a force for competitive advantage, with 56% saying they feel restricted by the board and only 41% reporting that their organisations have a CISO in place on the board.

Although the cyber security team can be instrumental in business transformation, only 44% believe that the C-suite sees them as a positive force for innovation, and just one in 10 respondents (13%) believe that the board sees them as helping the company to gain a competitive advantage.

The findings suggest that boards may be paying lip service to IT security teams, as there is a disparity between what the board says and how this translates into investment.

Source: ComputerWeekly