Working in cybersecurity has its clear benefits: bringing value to a vital industry, competitive pay, and a thriving job market. With any job, however, there will always be some aspects that are less exciting than others. As someone who started off in engineering before moving into management, I’ll admit that my opinions are a bit biased towards my technical roots.
Here, I’ll cover some of the less-glamorous elements of the CISO role that, while necessary, might leave some of us aching to throw on the headphones and just code—as well as some ideas on how to make these pain points less arduous. Many of the items I’ll be listing are not necessarily exclusive to cybersecurity; some may find a common theme within their own respective industries.
1. Governance, Risk, and Compliance
Governance, risk, and compliance (GRC) is largely about navigating company culture, people, and process. Writing and enforcing security policies, standards, and guidelines requires a lot of documentation and buy-in from key stakeholders.
Not all engineers and company personnel have a security mindset—many aren’t necessarily thinking about whether or not they’re following mandates or breaking rules. If your company’s culture isn’t used to being governed or regulated, you may find yourself taking the role of the nagging regulator communicating policies to coworkers and ensuring they comply. You probably won’t be winning any popularity contests any time soon because of this.
Another pain point relates to managing and maintaining third-party risk. Whether you’re assessing the security of third-party organizations or—if you’re on the vendor side of things—completing hundreds-of-questions-long security surveys (e.g., SIG, SIG Lite, customized customer survey), you’re in for a time-consuming process. As maintaining third-party risk is a year-round job, there really isn’t ever a clear end to this work.
Assign or hire a designated GRC liaison or administrator. Beyond having knowledge of governance, risk, and compliance, this person also needs to be an expert communicator who can educate and translate for people at both the executive and engineer level. Knowing that someone is staying on top of policies, standards, regulations, and audits will ultimately improve team efficiency, and also helps boost your customers’ confidence when they know your security program is dedicated to following best practices.
From an approach perspective, people that try to implement a one-size-fits-all model to GRC often fail (what’s needed for financial services likely won’t apply for a tech startup). Ensure your GRC program and business objectives are aligned; creating governance just for the sake of creating it won’t bode well. A proper GRC program effectively satisfies established needs and is easily consumable, supported, and understood by stakeholders as an enabler for their own jobs or functions.
2. Report Writing and Documentation
If you’re like most in our industry, you’d rather spend your time writing code instead of reports. But writing and reporting has become a necessity of the job. As CISO, you may find yourself wearing the editor hat and losing otherwise productive afternoons with redlining and rewrites.
Tech writers exist for a reason; they can lift a heavy burden off engineers. If bringing on a tech writer isn’t in the cards, establishing a good relationship with another department in your organization that has experience in writing and documentation (e.g., marketing, public relations) can be a great option.
Yet even with these resources, training your team to write is critical. Security staff would undoubtedly prefer a training session on technical specialties, but writing is a competency that shouldn’t be ignored. Every document, presentation, metric, and report that comes out of your employees is a direct reflection of your organization as a whole. Training your staff to write effectively will save you many hours in the long run.
3. Being On-Call 24/7
Alerts at 3 AM. Christmas day zero-days. Threat actors don’t sleep, and holidays are nothing more than a day when a hacker knows your organization might be off its guard. The reality of the profession is that there’s no such thing as a real day off—you’re the first line of defense 365 days of the year.
If you’re unable or it doesn’t make sense for you to run a dedicated 24x7 operation, partnering with a MSP and other service providers for after hours and weekends can help alleviate your staff from intensive, round-the-clock monitoring. Configuring the MSP to triage threats and notify you via phone call is an effective way to be informed of a critical situation when it’s time, and to get (some) sleep when it’s not.
Leveraging security automation and orchestration (SAO) technologies is another great way to automate the triage and response process during outside business hours. You can automate your response mechanisms to contain and remediate security events all without needing to notify staff after hours. There were many times where we came to work Monday morning only to find out that our SIEM and SAO systems triaged and remediated a security event that could be automatically contained over the weekend.
4. Asset Management and IT Hygiene
Unpatched systems…out-of-date applications…systems never designed to be on the internet now online…forgotten computers that were supposed to be decommissioned but never were. This is the stuff of CISO nightmares. If you look at all the major breaches in the past 10 years, the majority happened because systems, networks, and applications weren’t well maintained. BYOD and IoT spread this expansive threat landscape even further.
Partner up with your CIO or equivalent IT peer. In an executive or board-level conversation, strive for a mutual understanding of the risk to the business if a company-wide culture of controls and processes is not properly executed. If you run a vulnerability management program and don’t have it tied in to the IT asset management and patching process, you’re doing it wrong as a CISO.
BYOD and IoT are business enablers—you want your security program to facilitate this technology. You’ll want strong role and identity management, network segmentation, data segmentation, and strong authentication and access controls. Provide employees with an easy way to register, authenticate, and authorize their devices safely and without putting the rest of your organization at risk. Many organizations are adopting a zero-trust model that incorporates all of the items above for any corporate device, user role, or identity.
5. Meeting Fatigue
Security staff are pulled into meetings for new IT projects, training initiatives, business developments, or when people just want to hear about the latest in security. Even those not in a management position are being pulled into multiple initiatives across the board. It’s no secret we have a shortage of security staff in our industry—we can’t afford to offer up the limited time our valued security staff do have.
Growing your team is a great thing. As a CISO, however, you need to effectively build your department’s hierarchy to enable capable managers and directors to help, among many things, limit your direct reports. Without this strategic structure, you’ll be hard-pressed to get any work done outside of all your one-on-one meetings.
Training your leadership team on meeting effectiveness is critical to the success of any project, but also to the success of your staff. Insight into the various types of decisions that can be made, roles in making a decision, and having a clear understanding of objectives and outcomes are all key in running effective meetings. Ask yourself: “Is this meeting necessary in the first place?”
In addition to scheduled meetings, make sure to include time slots for impromptu meetings or just general blocks of time to get work done. Proper calendar mastery really gives you power as a leader
6. Triaging False Positives/Alarms
Devoting part of your day to investigating a threat that turns out not to be real is always frustrating. And it isn’t just the immediate cost of your time being wasted, but the opportunity cost of what you could have been working on when you were called to the “fire.” False positives ruin momentum, interrupt important meetings, and exhaust your team. And when your team experiences alarm fatigue, they’re more prone to miss critical, true positive alarms.
Make sure you’re fine-tuning your SIEM and other detection and alerting systems to accurately detect true threats and surface those above the noise. Employing automated responses (throughout the investigative life cycle) and threat intelligence (proactively and reactively) to triage events can also help cut back on manual work and determine real threats from false positives.
If you don’t have the in-house expertise to set up this functionality with your SIEM or other detection and alerting systems, employing services from your vendor to do so can ultimately save your team a lot of headaches in the future. Unfortunately, some false positives may be an ongoing reality of our business, but reducing their frequency will always be a valuable investment.
7. Managing Egos and Personalities
The security space is one that is understaffed in those who offer a highly qualified skillset. Truth be told, massive egos can run amok in our small industry because of this. I’ve seen folks who ride the praise of having developed some cool security software; written a well-known exploit years ago; or been part of a well-known group, hack, or compromise.
They may have the feeling that they’ve already proven themselves and have nothing left to learn, but still haven’t mastered the art of contributing to others. A team full of these types can really derail your program as the focus becomes squarely about their egos and no longer about the success of your team and program.
As with anything in life, it’s about striking the right balance. Your team should have an even distribution between seasoned professionals and junior staff trying to learn as much as they can. A team comprised entirely of “rock stars” is like having a team of nothing but executives—none of the real work ever gets done. Ensure that you’re not blinded by a bright shiny object; thoroughly vet out applicants’ hunger and passion to grow even more.