A Note on #CISOProblems


Posted on by Eric Cowperthwaite

What is it about this time of year? In the past month or so I’ve noticed even more headlines and reports than usual about the problems plaguing today’s CSOs and CISOs. If you’ve somehow managed to dodge the onslaught of grim stats, I’ll sum it up for you: #cisoproblems

  • The “bad guys” are proliferating and becoming more sophisticated.
  • Security managers are having a hard time getting enough “good guys” on their team.

I’m not knocking this research. The results may seem obvious to those of us who have spent 30+ years in the industry, but I understand that other strategic decision makers need to see these hard numbers before they’ll make investments in security. The real question is, now that we’ve established these problems are very real, what do we do about them?

Making Strides
There are two factors stopping today’s CISOs from finding and securing adequate resources to defend their organizations. One of these factors is budget limitations–but as stories of major breaches (and their consequences) have made it into the mainstream and the C-Suite has come to terms with just how disastrous a major breach could be, the purse strings have loosened. According to 451 Research’s Voice of the Enterprise: Information Security quarterly study, nearly 40 percent of enterprise security managers are expecting to increase their security budget this quarter. 

This same study also highlights a second factor inhibiting success: the industry’s skill gap. There simply aren’t enough security experts to fill all of the open positions–more than one third of the security managers polled by 451 Research reported significant obstacles in implementing desired security projects due to lack of staff expertise. Fortunately, I think we’re making great strides in this area. I’ve seen countless non-profits and CSR programs pop up over the last several years that are doing a great job promoting the opportunities in this industry and training the next generation of security experts.

Opportunities We’re Missing
You knew this wouldn’t just be an extended pat-on-the-back, right? It’s great that we’ve taken steps towards expanding budgets and shrinking the skills gap, but we’ll never have infinite resources to solve our security problems, and we certainly can’t wait 15 years while the next generation of cyber exerts grows up. In the meantime, we have a job to do, and success will require that we get creative. We need to implement processes and provide our teams with the tools that make it possible to do more with less. 

When I was a CISO, there was a security expert on my team who was making six figures working almost exclusively on low-level, clerical tasks. There was no way our server engineers could possibly address the thousands of vulnerabilities being identified by our scanners, so this individual would use Excel to sort, organize and filter the vulnerabilities based on a number of factors (whether they could be exploited, which systems they could impact, whether they were accessible from outside the network, etc.) in order to determine which were the most critical. Then he would hand off his report. That was his whole job!

What we really needed was a tool that could prioritize these vulnerabilities for us–that’s the reason I first engaged with Core Security. Once we were able to automate this task, the employee was able to shift from doing clerical work to focusing on “big picture” questions: Were vulnerabilities being patched in a timely fashion? Has our risk posture truly changed? Needless to say, I was getting a lot more value out of that employee’s six-figure salary.

Unfortunately, lots of organizations are missing these opportunities to maximize the effectiveness of their budget and talent. We can’t settle for throwing more resources at these #CISOproblems without being strategic about how we allocate them–we should always be evaluating how we can work smarter.

What works for you?
Based on what I know about human nature, I would think we as an industry would be relying on some quick-fixes to get us by, while putting off the implementation of “big picture” solutions. It’s encouraging to see that we’re actually doing a decent job working towards long-term goals like making security a priority for the C-Suite and closing the skills gap. But in the meantime, we shouldn’t overlook opportunities to improve efficiency. 

So, what has worked for you? Which processes or solutions have upped your efficiency, freeing up staff to focus on truly managing business risk? Post your answers in the comment section below or reach out to me on Twitter. And for more of my thoughts on building efficiency into your Threat & Vulnerability Management program, check out my TVM Maturity Model.


Contributors
Eric Cowperthwaite

, Core Security Inc.

Business Perspectives

professional development & workforce security operations

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs