Cybersecurity Challenges 2023: What Keeps CISOs Awake at Night?
We asked company leaders to share their thoughts on what makes their jobs tough and share actionable trade tips to strengthen the security fabric of organizations while keeping attrition at bay.
One in five CISOs are working 25 or more extra hours per week, which is double the amount of overtime that they worked in 2021, an October 2022 survey by cloud security email provider Tessian found. The demands of the CISO role mean they are putting in significant overtime – about two extra work days per week. In addition, CISOs work 16.5 hours over their contracted weekly hours, an increase of 11 hours from 2021, the survey found.
But why? A major cause for concern for the CISOs is the significant rise in cybersecurity threats overnight. Additionally, a 2017 Capgemini survey revealed that 27% of business executives say that their company’s big data initiatives are profitable.
Yet, the green grass on the big data’s side isn’t enough to keep data leaders’ worries at bay. Data leaders are concerned when it comes to big data challenges such as data integration, lack of technical expertise, the proliferation of data silos, and, more importantly, security.
We asked company leaders to share their thoughts on what makes their jobs tough and share actionable trade tips to make sure security teams continue to uphold the security fabric of their organizations while keeping attrition at bay, especially in an uncertain environment.
Factors Responsible for the Attrition of CISOs and Security Teams
Katie McCullough, chief information security officer, Panzura
“Security impacts every area of the business. Being such a broad topic, it can become overwhelming for organizations, so it’s important that, as CISOs, we take the time to educate and inform the rest of the business.
My approach is based on risk mitigation first and foremost. It’s my responsibility to identify the risks, but I always work with the business to find a way to mitigate them. CISOs expect difficult conversations, especially when budgets are tight. At the same time, as security teams are increasingly under pressure, I’ve noticed many positives in how people from all over the business engage with security.
“There is an increased understanding of the role of security, an expectation that security needs to be bedded into the digital lifecycle, and a drive to communicate about security to clients and prospects.”
Ricardo Villadiego, Founder and CEO, Lumu
Villadiego goes on to highlight the nuisance of false alarms, which not only take up time but add to the company’s expenses and are a factor in employees’ burnout. According to Orca Security’s 2022 Cloud Security Alert Fatigue Report, 59% of security teams receive more than 500 public cloud security alerts per day.
”Cybersecurity operators cite large volumes of false alerts, the burden of investigating all those alerts, and the fact that the alerts can come at any time as some of the top reasons driving burnout,” Villadiego said.
Of the alerts received, 43% of respondents to Orca’s survey said 40% of the alerts received are false positives. According to recent findings by Guardrails, each actionable alarm takes an average of 30 minutes, whereas every false lead takes 32 minutes to investigate.
As such, 62% said that alert fatigue has contributed to turnover, and 60% said that alert fatigue has created internal friction in their organization.
“Many cybersecurity tools (like SIEMs) need to be more intuitive and can aggravate daily tasks. Added to this, they have to cope with the fear, uncertainty, and doubts that come with knowing that if they miss something big, it can severely affect their company or career,” Villadiego added.
“From a CISO perspective, balancing potential risks with investments and justifying those investments to other executives or to the Board (who are often not equipped to understand the technical nature of cybersecurity) can be daunting.”
See More: Hiring in Tech: From Employer’s Market to the Candidate’s Market
How Are CISOs Managing the Uptick in an Economic Downturn
“CISOs are evaluating their security stacks to identify which tools are really delivering on their promises. They can no longer afford to hire top-level cybersecurity talent for every tool in their stack – and technical talent is even more scarce lately,” Villadiego said.
“Instead, CISOs have to rely on tools that can be operated by level-one cybersecurity analysts while also training cybersecurity talent in-house.”
Meanwhile, McCullough takes a more statistical approach whose goal is more or less the same — adapting to the macroeconomic environment and accepting a certain level of risk.
“The first step has to be risk mitigation. Investing in security for security’s sake helps no one. Managing the economics of risk involves CISOs and the wider business agreeing on, and learning to live with, an acceptable level of risk. That means listing out all the risks, prioritizing, and allocating budget to mitigate the biggest threats first.
It also means working smart, especially in an economic downturn, when there’s additional pressure on budgets leading to increased risk. It becomes more important than ever that companies get the security basics right. Establishing good security hygiene takes time and effort, but it’s not rocket science.”
How Can CISOs Future-Proof the Security Job Market
McCullough shared her two-pronged approach to ensure buoyancy in cybersecurity roles. “Developing security champions throughout the business has always worked as a tactic for me. I’ve applied this approach to people in my own team who I’ve trained or mentored and then have continued their career paths in other business areas,” she said.
“Equally, I foster strong security connections in other teams because security affects everyone in the business.”
“As CISOs we need to be smart about how we can bolster the security resources available to us. Having security champions in different teams who understand the importance of threat mitigation not only means that they design products and services with security in mind, but it also means that as a business we can be much more agile in responding to threats.”
On the other hand, Villadiego relies on technical prowess and reiterates the need to cut down the clutter, gain and build as much knowledge base as possible and automate incident response.
“The first step is to lower the noise of false alerts. Here, orchestration with AI can help to prioritize and vet the incidents that require human analysis.
Second, incident investigation is crucial and time-consuming, so CISOs and their teams need to have as much information in one central place as possible, ready to cross-reference and verify timelines.
Third, automating incident response means that security teams don’t have to be on call 24/7. If the malicious activity can be identified early enough and that activity blocked before the incident escalates, the rest of the remediation work can be done during normal business hours.”
What is the biggest security challenge your organization faced in 2023? Comment below or let us know on LinkedIn, Facebook or Twitter. We’d love to hear from you!
Image Source: Shutterstock
MORE ON CYBERSECURITY
