As a CISO, you wear many different hats at work every day.
From putting out fires, ironing out security issues, handling threats, managing costs, improving performance, to stroking delicate egos, your job is pretty unconventional.
Here are six problems that you face at work:
- Managing Assets and IT Hygiene
- Governing, Risk, and Compliance
- Reporting and Documenting
- Assessing False Positives/Alarms
- Administering Egos and Personalities
- Braving Meeting Fatigue
Let’s explode each of these…
Managing Assets and IT Hygiene
Today, you as the Chief Information Security Officer (CISO), need to make informed decisions regarding your information technology portfolio.
For this, you need the support of different teams within your organization.
Most of the time, you find that you and your teams are saddled with hurdles in your endeavors, rather than being supported.
The most common issues that CISOs face with respect to Asset Management and IT Hygiene are:
- You do not have access to enough high-quality data
- You experience delays in formulating judgments and then putting those decisions into action
- The tools you get to use within the organization are old. Older tools have a hard time meeting the demands of modern IT. You have a difficult time convincing the different teams to move to new, more relevant tools.
- It is not certain that every endpoint on a network would be a laptop, desktop computer, or server. It could be a tablet, a printer, or any other industrial or consumer Internet of Things device.
As a result, many of the businesses you are in charge of face information security challenges.
There are solutions to these.
- CISOs need to understand the importance of good IT hygiene, which means cleaning up the Cloud and SaaS assets.
This will help ensure safe operations and deal with cloud security pain points effectively. - CISOs must be equipped to deal with vulnerabilities such as errors in software that may be exploited for gain
- You can provide employees with a way to easily register, authenticate, and approve their devices safely
- Timely updation of tools also helps deal with a lot of efficiency and security-related problems.
Governing, Risk, and Compliance
Governance, risk, and compliance is primarily concerned with navigating the company’s culture, people, and processes.
It is the responsibility of the CISO to ensure that security policies, standards, and recommendations are followed uniformly throughout the organization.
For this, you require a lot of documentation and effort from key stakeholders.
Some issues that CISOs face with respect to Governance, Risk, and Compliance (GRC) are:
- Not all employees within an organization are concerned with security. A lot of times, employees are not even aware when they are breaking security protocols.
- Another source of frustration for a CISO is when dealing with third parties, such as clients or customers.
Management and maintenance of third parties is always a cause of concern since it exposes the company to a lot of security risks.
There are some simple solutions to deal with these issues.
- It is very important that the security regulations of the company are conveyed to the employees repeatedly so that the responsibility of relaying these does not fall on the CISO.
- Every company must hire or assign a designated liaison to take care of GRC concerns. Other than having adequate knowledge, this person also needs to know how to communicate with people at both the executive and engineer level.
- Do not follow a one-size-fits-all approach for GRC.
- The GRC program should be aligned with the business objectives of the company.
Writing Reports and Documenting
Report writing and documentation are important parts of a CISO’s job, even though not the most interesting.
The most common issue that CISOs face with respect to Report Writing and Documentation is:
- Not all CISOs are proficient when it comes to writing reports.
But maintaining documentation and creating reports has become a necessity for CISOs.
Some of the solutions are listed below.
- CISOs can outsource the work to a writer or get someone on the team to help
- If this is a continuous requirement, you should hire someone to work exclusively on documentation and reports, so you can spend their time on more valuable tasks that no one else but you can do
- Alternatively, you can distribute the work among the different teams.
If considering this option, it is important to conduct training sessions for the employees so that they have a clear idea of what the requirements of the job are.
Assessing False Positives/Alarms
Risk management is a very vital part of a CISO’s job.
Hence, assessing risks is something that CISOs do on a daily basis. But not all of these risks are real. Here are some common issues that CISOs face while assessing false alarms:
- Sometimes, you spend many precious hours investigating a threat that turns out to be nothing. This not only frustrates you but also costs the company money in terms of precious man hours.
- The team might be so tired from running around putting out fires that aren’t real, you may miss critical, legitimate alarms.
Here are some solutions:
- Put systems in place that check the legitimacy of a threat before alerting concerned people
- If there aren’t any people in the organization who can help with this, you must hire a Managed IT Service Provider to take care of this.
Though this might look like an extra spend, remember that it will help save precious hours that could be dedicated to completing other important tasks.
Administering Egos and Personalities
This may not seem like a very valid concern, but it is honestly one of the most difficult problems that a CISO has to deal with.
When you are managing people, especially people with unique skill sets, as you will find in the security industry, handling their egos is a real part of the job.
Dealing with egos is not that simple.
Here’s the solution: Strike a balance in the team by hiring a mix of experienced people and newbies who are eager to learn.
Braving Meeting Fatigue
Fatigue is a problem that people working at different positions in companies from different industries face.
But what causes a CISO to burn out or be overwhelmed?
- Other than the umpteen numbers of tasks that CISOs have to take care of, you are dragged into an endless number of meetings every day.
- You have to solve the problems of everyone from junior employees to upper management.
How can CISOs ensure that you do not run out of juice at work every single day?
- You should create a clear hierarchy that reduces their burden of communication and involvement.
- You should hire capable managers and provide the required training to them.
- You must give their managers decision-making powers on issues that can be handled without their intervention.
It is important to remember that you are not here to win the popularity contest, because the truth is that you probably won’t.
Conclusion
The job of a CISO is not easy as we have just learned.
The only question you need to answer is: What does a CISO need to care about?
Your only concern should be to do the job right.
To do that, you need to make peace with being an anti-hero.