Hackers and the latest malicious unleashing aren’t the only headaches CISOs have to deal with. LogRhythm’s Chief Information Security Officer, James Carder, explains seven common pain paints – from endless meetings to inflated egos – and outlines some (pain) killer strategies to alleviate them.
1. Governance, Risk, and Compliance
Writing and enforcing security policies, standards, and guidelines not only requires a lot of documentation – it needs buy-in from key stakeholders. If your company culture doesn’t embrace governance or regulations, you may find yourself in the additional role of CNO – Chief Nagging Officer, constantly communicating policies to co-workers time and again to ensure they comply.
Managing and maintaining third-party risk is another time-consuming GRC task, whether assessing the security of third-party organisations or completing security surveys with hundreds of questions (think SIG, SIG Lite, customised customer surveys) on the vendor side.
Assign or hire a designated GRC liaison or administrator – an expert communicator who can educate and translate GRC for people at both executive and engineer levels.
One size doesn’t fit all when it comes to GRC models model to GRC often fails: a cookie cutter approach usually fails. Ensure your GRC program and business objectives are aligned. An effective GRC program satisfies established needs and is easily consumable, supported, and understood by stakeholders as an enabler for their own jobs or functions.
2. Report Writing and Documentation
You might prefer to write code rather than reports, but writing, red-lining, rewriting and reporting is a time-consuming necessity.
Engage tech writers or establish a good relationship with another organisational department with expertise in writing and documentation (think marketing, public relations) to ease the load on engineers. Training your team to write is critical too – and makes them faster, better writers.
3. Being On-Call 24/7
There’s no such thing as a day off security. Hackers know holidays and 3a.m. are good times to catch organisations off guard.
If you can’t run a dedicated 24x7 operation, partnering with a MSP and other service providers can reduce the burden of after hours and weekends monitoring on staff. By configuring the MSP to triage and notify you as critical situations arise, you’ll be informed when it’s threat time, and get some sleep when it’s not.
Leveraging security automation and orchestration (SAO) technologies is another way to automate the triage and response process during outside business hours. You can automate your response mechanisms to contain and remediate security events without needing to notify staff after hours.
4. Asset Management and IT Hygiene
This is the stuff of CISO nightmares: Unpatched systems. Out-of-date applications. Offline systems ending up online. Decommissioned computers not actually decommissioned. Most major breaches of the past decade happened because systems, networks, and applications weren’t well maintained. BYOD and IoT amplified the threat.
Partner with your CIO and have executive and board level conversations clearly spelling out the risk to the business if a company-wide culture of controls and processes is not in place. Make sure your vulnerability management program is tied to the IT asset management and patching process.
For BYOD and IoT, ensure strong role and identity management, network segmentation, data segmentation, and authentication and access controls. Make it easy to register, authenticate and authorise employee devices safely. Many organisations are adopting a zero-trust model incorporating all these features for any corporate device, user role, or identity.
5. Meeting Fatigue
With a shortage of skilled security staff, you can’t afford to lose limited resources to endless meetings.
Ask the million dollar question: “Is this meeting necessary?” Train your leadership team on meeting effectiveness, decision-making and the need for a clear meeting objectives and outcomes. Master your calendar: Beyond scheduled meetings, allocate slots for impromptu meetings or blocks of work time.
6. Triaging False Positives/Alarms
Investigating what turns out to be a false threat is frustrating, time-wasting and exhausts your team. When ‘alarm fatigue’ hits, they’re more prone to miss critical, true positive alarms.
Fine-tune your SIEM and other detection and alerting systems to accurately detect true threats and surface them above the noise. Employing automated responses (throughout the investigative life cycle) and threat intelligence (proactively and reactively) to triage events can help reduce manual work and determine real threats from false positives. If you don’t have in-house expertise for this functionality, engaging services from your vendor can save a lot of headaches.
7. Managing Egos and Personalities
There may be a relative shortage of highly qualified security pros, but there’s no shortage of massive egos. The egoists feel they’ve proven themselves and have nothing left to learn, but haven’t mastered the art of giving back. This can derail initiatives by taking the focus off success of your team and projects.
Aim for a balanced team with an even distribution of seasoned professionals prepared to mentor, and junior staff eager to learn. Thoroughly vet applicants on their hunger and passion to keep growing.
Whoever said ‘no pain, no gain’ was wrong. With the right strategies, people, system and resources management in place, it is possible for CISOs to gain the benefits that come from eliminating some common pain points.