CISOs are highly paid and short-lived in their positions for a reason. It’s a relentlessly difficult job to do well, requiring a unique mix of skills to pull it off successfully. Great CISOs need to have the technical chops to know whether their team is effectively managing infrastructure and to keep abreast of cyberthreats that impact their organization. But they also need the soft skills to navigate the political minefields inherent in changing business culture and processes to minimize risk. Among other things, this means being able to effectively communicate up and down the food chain and being able to translate technical risk into financial impacts.
With such a varied list of job requirements, it’s no surprise that many CISOs love their jobs and careers but still hate certain aspects of their daily work lives. According to experts in the field, the following are some of the least favorite duties that top security executives would rather shift to the bottom of their to-do lists if they had their druthers.
Documenting Security Activity and Risk Exposure
It’s not simply good enough to reduce risk in an organization. You’ve got to actually document how all those moving parts in a security program are working. That includes what’s being done, by whom, when and why. Most importantly, it needs to be tracked for efficacy to show which risks have been remediated and which the organization is still exposed to.
This is a mammoth task and one made all the more difficult because it usually requires a constant goose chase to hunt down the right data to populate reports. According to a recent study by Osterman Research and Bay Dynamics, 81 percent of security executives rely on manually compiled spreadsheets to report data to the board.
“Enterprises tell us that cyber-risk reporting is a challenging, tedious and manual time-suck,” says Ed Bellis, a former CISO at Orbitz and current CTO at Kenna Security, who says it can take hundreds of spreadsheet hours to generate a single report.
Dealing with Compliance Minutiae
Tangential to documentation is all the crossing of t’s and dotting of i’s in complying with an increasingly complex set of regulatory requirements. There’s a governance, risk and compliance trifecta of red tape and procedural exercises that can grow tiring when a CISO would much rather be dedicating time to actually addressing threats.
According to James Carder, CISO of LogRhythm, this includes “writing and enforcing security policies, standards and guidelines, completing security questionnaires like SIG and SIG Lite, and dealing with auditors.”
The last one is particularly onerous, because the latter can feel like 80 percent of a security executive’s job, says Simon Puleo, security researcher for Micro Focus.
“Detecting and preventing breaches should be the No. 1 priority, not holding a consultant’s hand as they ask questions and sift through reports,” he says.
Creating Slide Decks
If there is one thing CISOs could do that would immediately improve their job satisfaction, it would be to uninstall PowerPoint from their lives forever. According to Andrew Howard, CTO for consultancy Kudelski Security, word from his CISO clients is that creating slide decks for the board eats up a lot of their time and energy.
“Virtually every CISO I hear from complains about non-stop creation of materials for the board of directors,” he says. “These materials often require literally 30 or 40 revisions and suck up a huge percentage of security leadership’s time on minute changes. This particular issue is pushing many CISOs at large companies out of the field.”
It doesn’t matter how technically competent and knowledgeable a CISO is, if they can’t sway those with control over the purse strings to get the most effective security tools and team in place, they’re going to be facing an uphill struggle.
“CISOs do not always control the security budget and they may not even be the final authority of security solutions if the organization relies on an architecture review committee,” wrote a trio of experts for the Institute for Critical Infrastructure Technology in a report last year. “CISOs’ power derives from their ability to justify cybersecurity solutions to business and technical audiences according to the relevant criteria.”
It’s why no matter how tedious documentation and slide-deck creation is, it needs to be done well. But that’s only the start. CISOs also need to be able to capably present all this material in what one security executive calls “boardroom mode,” which can be a challenge for those security pros used to the informality of IT culture.
“You need to speak slowly, avoid fillers and repeat your message in laymen’s terms. You also have to dress the part. Lots of executives pre-determine who you are based on how you are dressed,” noted Anthony Siravo, CISO of Lifespan, in a recent interview. “Technical people do not always realize that how you dress matters. When I first started presenting, I wore business casual. When I switched to suits, all of a sudden they wanted to hear more from me. This is called mirroring. If you make them comfortable by dressing the part you will have better results.”
Sifting Through Vendor BS
The security vendor community is brimming with every nature of “solution” a CISO can shake a stick at. There are plenty of really innovative products out there; the trouble is finding them amid all of the duds and, more importantly, making sure they actually fill the organization’s current needs.
“In today’s threat environment, the only thing I believe that is 100 percent is eventually that I will have a breach,” wrote Gary Hayslip, CISO of Webroot in a recent manifesto about irritating practices by security vendors. The rest is all B.S. so don’t waste my time saying you do 100 percent coverage, or 100 percent remediation, or 100 percent capturing of malware traffic.
Even when armed with adequate budget, the vendor overload, the cold calls from inexperienced salespeople and the constant stream of half-baked products overpromising and underdelivering is enough to give even the most centered security executive a migraine.