The day-to-day grind of fighting threats and reducing cyber-risk is difficult in even the best of circumstances. Unfortunately, many security professionals face added friction in their work environments that makes it harder to do their jobs effectively. Company culture, resource constraints, and process limitations are a few examples of what can get in the way of security pros making meaningful strides toward improving an organization’s cybersecurity posture. Following are 10 of the most common obstacles that keep them from actually working on cybersecurity on the daily.
1. Lack of Budget
When security teams don’t have enough financial resources at their disposal, the development and execution of a sound security strategy becomes an uphill battle.
“A lack of budget is one of the biggest obstacles security professionals face today in securing their organizations," says Asher de Metz, security consulting senior manager for Sungard.
According to Keatron Evans, principal security researcher at Infosec Institute and a consultant for KM Cyber Security, many organizations come up with their security budgets without gaining a clear understanding of what their security and risk management requirements really are.
“This often leads to security professionals having to do $100 jobs on $2 budgets,” Evans says.
As a result, security staff can’t get the training, time, or tools to adequately keep up with the threats over time.
“Threat hunting is a great example of this. There are some really good tools in the market, but lack of budget keeps the experienced team members from being as productive as they could be,” explains Doug Saylors, co-leader of consultancy firm ISG Cybersecurity.
The good news for teams at the moment is that there’s some relief in sight at many organizations, which are reporting a "significant" boost in spending in 2021.
2. Not Enough Staff
A recent survey found that if cybersecurity pros had a security magic wand and could make a change, their No. 1 wish was for a bigger team — which ranked above more effective tools and more budget.
Of course, lack of budget often goes hand in hand with not having enough people to attend to all of the security work that needs to be done. Some security teams may have no money allocated for new positions, but more likely they don’t have enough money to attract the kinds of candidates they need. This is frequently an internal struggle security managers have with their human resources (HR) minders, who may not have their salary limits for the team grounded in the reality of cybersecurity’s extremely tight job market.
“Recent escalating base salaries for cyber talent require changing HR's salary-grid boundaries,” says Terry Jost, managing director and global security and privacy segment leader for Protiviti.
Increasing salaries for both recruiting and retaining security staff is an obvious 'gimme,' but veteran security team builders have other tricks up their sleeves. As an experienced security practitioner and leader, Chuck Everette advocates for security management to get more creative about pulling from internal IT teams to increase the recruitment pool.
“While they might not be already groomed security professionals, they already have a plethora of vital information, such as current infrastructure and application knowledge and other critical internal information to support this role," says Everette, director of cybersecurity advocacy at Deep Instinct and a longtime security executive and consultant. "By upscaling these resources, they can spend less overhead and upstart capital than by hiring externally,”
One of the unfortunate by-products of a shoestring staff is not only fewer people to do the work, but also work quality from those who remain tends to slide over time due to the inevitable burnout.
According to VMware's new "Global Incident Response Threat Report," 51% of security professionals experienced extreme stress or burnout during the past year.
“Overworked security staff are more likely to make mistakes, miss critical threat indicators, and do not have the time and bandwidth to perform routine proactive maintenance,” says Everette. “Companies need to also look at improving the working conditions for their existing securities staff along with filling open job requisitions.”
According to Steve Moore, chief security strategist at Exabeam, improving working conditions is driven by the implementation of processes and tools that eliminate the highest friction, lowest value tasks.
“Create teams that obsess over correcting the worst part of the jobs [and] then do it,” Moore says.
4. Lack of Visibility
According to Evans, one of the biggest blockers in his efforts to help clients respond to incidents and otherwise get their security work done is the lack of visibility they have into their environments.
“Trying to contain a threat in an environment where there is no clear picture of what the environment should look like presents a significant challenge, even for the best of us,” he says.
This is a consistent productivity drag for so many organizations, agrees ISG Cybersecurity's Saylors.
“It is surprising how many organizations don't have a current or valid CMDB in 2021,” he says. “Tracking this down delays and prevents security pros from being productive. “
5. Dashboard Fatigue
Yes, alert fatigue is a big problem, but perhaps an even worse issue is the variety and volume of tools needed to run down those alerts. Simply switching from one dashboard to the next, to the next, and then back again is a time sink — no matter how many monitors your analyst has at their desk.
“There is a surprising amount of time needed to navigate through the multiple tools which you and your analyst team are using,” says Ben Smith, field CTO at RSA NetWitness. “Different interfaces and different workflows can quickly add up to cognitive exhaustion. Every jump from one interface to another consumes some of your precious working memory and attention span, neither of which are limitless resources.”
6. All-Consuming Firefighting
Yes, incident response is certainly an integral part of day-to-day security work. However, when firefighting against the threat of the day overshadows all other priorities, then other important security work will never get done. This could be assessing for the biggest cyber-risks to the business and planning a more resilient set of security controls, proactively hardening the environment, or seeking out new threats that haven’t yet hit the headlines.
“Constant focus and engagement on incident response activities takes senior members of the team away from higher-value tasks, like threat hunting,” Saylors says.
7. Poor Collaborative Processes
Security teams often struggle to get their work done because they're unable to get the proper support they need from execution partners outside of the security team.
“A lot of the work that needs to be done to manage security risk is completed by people outside of the security team. System administrators need to manage inventory and patch systems, developers need to use secure software development practices, and all employees need to properly respond to phishing emails,” says Chris Houlder, CISO adviser for Aleada. “It can be challenging to get those people to understand, accept, and consistently perform their role in the security ecosystem.”
This is a tough nut to crack because it's not simply a process improvement issue — it’s also an exercise in persuasiveness and relationship-building on the part of the CISO and security team members who have dotted-line connections with those execution partners.
8. Out-of-Whack Reporting Structure
Those broken collaborative links across the business may actually be a function of a more fundamental problem of who the security leadership reports to. Out-of-whack reporting structures can drastically impact how security work is directed, how it's funded, and how much political capital CISOs have to make real change in the organization.
“For some CISOs, one dynamic that makes it hard for them to be effective in their role is their reporting structure,” says Deb Golden, Deloitte’s US Cyber and Strategic Risk leader. “If they report to the CIO, for example, the CIO's objectives and goals are often diametrically opposed to the CISO's. Reporting to the CFO can also be tricky, and not just because CFOs are so focused on the bottom line. The CFO's understanding of risk is very different from a CISO's, and that disconnect can be a daily source of friction.”
9. Compliance and Reporting Runaround
Compliance activities are an integral part of the security function, but CISOs and their teams often spend so much time on the audit treadmill verifying their minimal security posture that they don’t have time for meaningful improvement.
“The biggest blocker in the whole process is rarely discussed,” says Garret Grajec, CEO of YouAttest. “It's never stated, but a large percentage of an IT security staff's job is spent gathering reports and documenting changes and security events for governance and compliance.”
10. Meeting Mania
Pointless meetings are the bane of security leaders 'round the world.
“If you haven't had someone look at your calendar and ask you, ‘How do you get anything done with all of those meetings?’ then you haven't been in information security very long,” says Tom Garrubba, CISO at Shared Assessments. “If you haven't spent countless hours preparing a presentation on how the latest and greatest security tool will reduce risk to the company, [key risk and performance indicators], metrics only to have them shot down, you're still a newbie. “
Many C-suite leaders have heard the clarion call for improved cybersecurity and want to make a show of how their businesses are improving by bringing the CISO into countless meetings to report on progress and engage with the business. Accountability and relationship-building are crucial for improving security culture, but there’s a balance to how that’s achieved.
Ultimately, security leadership is never going to be able to eliminate every single one of these security blockers. They're simply a fact of life in most situations. But the more they can address even a few of these issues incrementally, the better their teams will be able to improve their cybersecurity performance over time.