A recent survey found that the two most significant risks CISOs are facing relating to their role are stress and burnout. This in turn impacts their ability to focus on their job and joining the upper echelons of the executive team where they belong.
So, what can CISOs do to manage incoming threats and lower stress?
Yoran Sirkis, Co-Founder & CEO of Seemplicity, a risk management and productivity platform, believes that CISOs cannot progress when they are stuck fighting fires. With an average backlog of more than 100,000 vulnerabilities at any given time, there is an industry-wide issue of security teams racing to catch up. We sat down to discuss this topic in more depth. What makes the role of CISO one of the most pressure intensive roles in technology?
A CISO’s success, or failure, is measured by the risk they are able to mitigate on a daily basis. With this standard of measurement, CISOs are facing an incredible challenge. The cyber attack landscape is intensifying and security teams are implementing tools and scanners to identify attacks and vulnerabilities. This, in turn, increases the amount of findings and vulnerabilities that the CISO is responsible for, a task that is becoming more complex every day.
Vulnerabilities must be reviewed and analyzed to determine what the potential impact on the organization may be, but as the day has not gotten longer and CISOs are only human, the growing number of vulnerabilities waiting for review poses a major risk - and a growing burden on the security team.
It's an uphill battle. Hackers are becoming more efficient and are automating attacks, scanners are automating their findings, but when it comes to the actual remediation, manual processes and efforts are still the norm.
Aside from the immense pressure on their work-life balance, the toll is being felt on their professional capabilities as well. Research from Gartner found that only 12% of CISOs are effective in executing all of their professional responsibilities. Under these conditions, it’s no wonder that CISOs are suffering from burnout and unprecedented stress.
How can CISOs structure their team in order to relieve pressure?
To relieve pressure CISOs must be able to effectively “manage down” and delegate remediation processes to their capable teams as well as “manage across” to improve collaboration with the extended teams involved.This means CISOs need to create a Center of Excellence, so to speak, as it pertains to operationalizing the reduction of risk for the entire organization. They must establish an efficient and scalable process for identifying, classifying, remediating and reporting on vulnerabilities. This will provide the CISO with the ability to answer the bigger question “did we reduce risk within the organization” ensuring that the entire organization is adequately protected across all departments and garnering data-driven insights for making key business decisions about scalability, workflows, security structure, and more.
CISOs also need support from the top, meaning exposure to and connection with the C-suite and CEO in particular to get the resources and support needed to be successful.
What security strategies or frameworks can help CISOs prioritize issues?
There are several frameworks that organizations align with to improve their security posture, but nothing speaks to creating the most effective way to operationalize the volume of security findings that need to be processed, remediated, and reported on a daily basis. Traditionally the prioritization of vulnerabilities is conducted by the security teams before going to developers for remediation, creating a massive bottleneck. What is needed is a framework (which technology and AI can help produce) that can ease this logjam, aggregate vulnerabilities, and quickly assign them to the right developer for remediation. Such optimization of the prioritization process bolsters security hygiene and makes the workload of security teams more manageable. This in turn eases the pressure on CISOs and allows them to focus their energy on building a scalable strategy for staying ahead of vulnerabilities as the organization grows - preventing fires as opposed to constantly putting them out.
How can technology help CISOs better manage their teams, lower stress, and prevent burnout?
CISOs and security teams are responsible for ensuring the security of their organization, which is a herculean task due to the overwhelming scale that attackers operate and the sheer volume of vulnerabilities that exist in today’s cyber landscape. With an average backlog of thousands upon thousands of vulnerabilities at any given time, remediation is slow, taking up to 250 days on average.
Having worked in the cybersecurity industry for many years, my co-founders and I were acutely aware of these problems and so we built Seemplicity with the simple goal of automating the remediation process by connecting security findings with those who can fix them thus removing the bottleneck from security teams’ desks and accelerating time-to-remediation by up to 6X.
Automation is an incredibly valuable asset that has reached almost all industries yet has not been widely adopted into the remediation process. The less manual this process is, the faster it will be, and the more security teams can focus on value-added tasks. Technology can also give CISOs a better big-picture, data-driven assessment of the state of their organizations’ current threat and vulnerability landscape, allowing for more effective delegation and operations. Combined, such innovative solutions can both greatly reduce the burden on employees’ time and make the job more interesting and strategic, reducing stress and burnout.