Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
7/3/2017
03:20 PM
Paula Greve
Paula Greve
News Analysis-Security Now
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

The Stress of Being CISO

The title 'CISO' carries with it some serious stress. A new poll talks about that stress and what to do about it.

Sleepless at 2 a.m. What's keeping CISOs up at night?

They may blame the cat, the coffee or the chardonnay, but the truth is that work awakens most chief information security officers (CISOs) several times a week. When we consider their diverse responsibilities for risk management, crisis management and change management, CISOing is a stressful role these days.

Arguably the top ongoing concern from CISOs is, "I don't know who is already in my network." A close second is, "I don't have the staff and skills to figure this out." The traditional security balance of people, process and technology is being redesigned as CISOs work to re-balance investment away from countermeasures (technical controls) to enable incident identification, investigation and response.

Improving the efficiency of incident management is a major challenge, according to a new Enterprise Strategy Group (ESG) survey, sponsored by McAfee and other technology vendors, that uncovered the impediments to security analytics and operations. After total cost of operations (a reflection of people, process and technology), the next four challenges involve time, skills and operationalization of expertise.

These hurdles are all more problematic than writing a check for new products. They require re-thinking of security architecture and organizational design. For instance, according to ESG, 80% of organizations use more than ten tools for security operations and analytics. A whopping 40% use more than 25 tools. This cornucopia of technology creates complexity, integration expense, and, inevitably, process friction.


Want to learn more about the tech and business cases for deploying virtualized solutions in the cable network? Join us in Denver on October 18 for Light Reading's Virtualizing the Cable Architecture event – a free breakfast panel at SCTE/ISBE's Cable-Tec Expo featuring speakers from Comcast and Charter.

CISO as change agent
Shifting from a prevention-centric, turnkey tools security model to a process, people-enhanced lifecycle security model is a change management challenge. It demands today's CISO plays several different roles in reshaping the security function:

  • Coach: "Detect and correct" functions are far more process-intensive and knowledge-centric than tools-centric preventative measures. Organizational processes need to be defined, vetted, formalized and maintained, and that takes time, willpower, motivation and a committed team. Imagine training a team for a marathon, and you have the right idea.
  • Marriage Counselor: Sixty-six percent of companies surveyed by ESG are moving from a siloed model with different individuals using different tools, toward a more consolidated and integrated approach for security analytics.
  • Mediator: Companies already struggle with maintenance processes such as patching and vulnerability management, where security requirements often conflict with (and lose to) IT processes and policies. Now, to support the visibility and collaboration required for rapid and accurate incident response, CISOs need to break down more organizational barriers, influencing far beyond their direct reports.
  • Crisis manager: Every few months a dialogue-changing industry attack happens. If your business is affected, the security operations teams draw on operational IT for surge and suppression (which is where enabling collaboration becomes critical). If your company isn't affected, your next action is to prove that the company isn't vulnerable to the problem. Board members and executives expect business impact assessments while the operation is underway, contributing to pressure.

To support this imposing set of skills and strengths, many companies now look outside the technology career track to people with business, legal, communications and process management experience. Often, that decision triggers a further change management challenge: retention. In this market, cybersecurity experts can get a new job in days. Newcomer CISOs must ensure they reassure, motivate and respect existing staff, not simply because they are hard to replace [the same ESG survey indicates that 81% of respondents find recruiting and hiring cybersecurity talent to be either somewhat or extremely difficult], but in order to understand the current systems, processes and policies and why they exist. That wisdom prevents unintended consequences that can cripple business-critical systems, since security systems must be adapted while the business remains operational.

Looking back at this list, it's clear CISOs have a tough and delicate task in front of them. Like parents of a newborn, they are doomed to lose a lot of sleep along the way. But recognizing the scope and nature of the challenges will help each survive and thrive.

Related posts:

Barbara G. Kay, CISSP, is senior director of product and solutions marketing for McAfee. She leads security operations marketing, which is responsible for the threat intelligence and analytics solutions, as well as the security management platform that enables optimized security monitoring, threat detection, and response.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.