Firms don’t want to talk about their failures, especially in the cybersecurity realm where the stakes are high. But insights from Goldsmiths and Symantec, University of London, reveals that security professionals who survived through a cybersecurity attack or security breach, could be the best bet hired to protect organizations against future threats.

The report confirmed that just over half of the 3,000 CISOs surveyed feel that learning from failure is incredibly valuable as a vital part of improving corporate cybersecurity infrastructure. Indeed, these professionals may be the firm’s best line of defense in the face of any potential cyber-attack. Security professionals who have survived an avoidable breach come with a unique mindset. Such professionals are less likely to experience burnout, are comparatively less likely to think about quitting their job, less indifferent to their work, feel less personally responsible for an incident, and are more likely to share their learning experiences for the betterment of the company.

The cybersecurity breach survivors have the first-hand experience that works on the frontlines of security performance management and what doesn’t is well versed in recovery procedures, crisis management, and team focus. Furthermore, cyber-attack veterans possess a unique perspective on cybersecurity risk management. They comprehend that risk mitigation requires more than the right technology and tools. Unless a firm takes a risk-based view of security, where all stakeholders understand the inherent threat of conduct business in a digital world, then all the endpoint protection, firewalls, and other security measures won’t help.

Unfortunately, while many firms tend to extol the virtues of information-sharing and openness, cybersecurity remains a taboo subject for all. Cyber breaches are treated as a warning, and security teams are hesitant to share information or disclose vulnerabilities that led to security breaches and lessons learned from those particular incidents. That is possibly the reason why security professionals who’ve experienced it, remain unfortunately tight-lipped about their experiences. The study further shows that 54% of respondents don’t discuss attacks or breaches with their industry peers, with 36% fearing that sharing such information could impact their career prospects or professional reputation.

This new report boldly asserts several best practices suggesting that these learnings should be shared with company boards, to foster a more open learning culture for the data security teams. Hence,   data breach survivors should be at the top of the company’s list of hiring priorities. Indeed, sharing experiences is a critical part of designing the security structure of any company, especially since all employees must be involved in protecting the organizational data. The existing cybersecurity skill shortage mandates that everyone, from the CEO to the clerk, needs to take responsibility.

Not adhering to the set security policies can yield some sobering results. The average cost of a cybersecurity breach has now touched $4.6 million per incident. But, the impact of this extends beyond potential reputational and financial ruin. The data protection and security teams are feeling the burn with 51% of tech executives experiencing cybersecurity burnout and other stress-related illnesses as a result of breaches, cyber-attacks, and outages. Firms need to realize that experience with vulnerabilities can strengthen security performance management.
All firms are vulnerable, often without even realizing it. But, the cybersecurity professionals who have witnessed an attack first-hand should be heard, applauded, and prized. They should feel confident that their experience can guide their organizations to be better prepared for the future to resist security breaches. Their experiences–and the knowledge they’ve gained from those experiences–should be used to bolster security performance management, creating a formidable front against future potential threats. It is time for firms to change their mentality towards employees with data breach experiences and hire them more to make the company’s operation more breach-proof.