According to recent Symantec commissioned research of over 3,000 senior security professionals, 82% of people in these roles feel burnt out and two thirds are thinking of quitting the industry. I find this alarming and it leads me to believe that there are significant mismatches in the expectations of Boards and stakeholders versus what can actually be achieved with the resources available.
Why should anyone in security feel under more pressure than those in other roles? Have they been set up to fail?
Having been a Chief Information Security Officer at a number of different organisations, I’ve had my fair share of stressful scenarios to deal with, but over time I’ve developed ways to alleviate some of the day to day pressures. Cyber security is a risk to be managed like any other corporate risk, albeit one that is less understood than traditional risks such as fraud or customer loyalty. This doesn’t mean you need to aim for zero risk, which is clearly impossible, but I see so many security teams trying to do just that.
If we use the example of fraud there comes a point of diminishing returns, where the cost of further reducing the risk is greater than the impact of a loss event. The same is true with cyber security, but it’s harder to define what the losses will be, so security professionals tend to want to go after everything.
Security teams still need to maintain a keen sense of urgency, but they have to follow a risk-based approach. Understand what’s really going to hurt the business and what isn’t - you can’t secure everything all of the time.
Prioritisation should be based on what your stakeholders believe will have the greatest impact to the business. For example, a data breach might not be the worst thing that could happen compared to the inability to produce or ship your products, yet so many companies are still prioritising their systems based on what data they process and not those that keep the business running.
Clarity with stakeholders is key, both on what you are going to go after based on the resources you’ve been given and, more importantly, what you’re not going to go after. If your Board isn’t happy with the residual risk then they can stump up more money, either way they, not the security team, are signing off on it.
Additionally, the sheer volume of security vendors all claiming to have the silver bullet creates a lot of uncertainty and a proliferation of security tooling, all requiring hard to find skills. A lack of integration between security tools makes workloads increase significantly, so try and aim for a security tooling stack that plays nicely and works as a coherent system, not one where your tools are constantly competing for attention.
Do less with more. I know it’s a cliché, but security really is everyone’s job. Focus on implementing low-friction self-service security for IT teams to keep their platforms up to date and consider how to automate existing processes.
Finally, make sure that risk owners are those who are most empowered to make a change. More often than not those people are the actual benefactors of the system or process in question, rather than the IT or security teams. If there’s a serious security concern with your HR system, it should be the HR Director losing sleep, not the security team – assuming they’ve done their job and clearly articulated the risk that is!
By Richard Brinson