Your browser version is outdated. We recommend that you update your browser to the latest version.

DEFSECMEDIA

DEFSEC Media is New Zealand's defence, security and fire B2B/B2G publishing group. Our leading magazines, NZ Security, Fire NZ - and our latest title - Line of Defence, are read by key business, government and military decision makers. This website is the online home of cutting-edge content from each of our titles.


 

Cybersecurity solution overload causes ‘CISO solution fatigue’

FEATURES: NZ Security, Aug/Sep 2016

With a reported average turnover rate of 17 months, it appears that Chief Information Security Officers (CISOs) are not oozing with job satisfaction. Such is the case according to a recent report by the US-based Institute for Critical Infrastructure Technology (ICIT), ‘CISO Solution Fatigue: Overcoming the Challenges of Cybersecurity Solution Overload’.

The high turnover rate, ICIT argues, can be blamed on the significant pressure brought to bear on CISOs from relentless cyber threats and adversaries, an overabundance of information solutions from hard-sell vendors, and from communication difficulties within their own organisation.

 

Relentless cyber threats

Due to the plague of APTs, malware, ransomware and other malicious initiatives by invisible adversaries, the CISO role is becoming increasingly critical. Unfortunately, this also means that in many cases CISOs operate under unrealistic expectations that they should be able to safeguard their organisation from every conceivable breach despite having a finite budget to draw from.

“They are expected to have enough technical expertise to develop a strategy to protect the business and enough business acumen to convince the board to adopt that strategy because it aligns with the goals of the organisation,” states the report. “As a result, modern CISOs tend to function more as Chief Information Risk Officers, managing the risk to data and technology within the organisation.”

 

Solution overload

Perhaps the most intriguing yet ironically obvious reason for rapid burnout is the growing phenomenon of what the report authors refer to as ‘solution overload’. Some CISOs claim that they may hear hundreds of company pitches for security tools and solutions annually, and this results in pressure to find comprehensive solutions from among the cacophony of vendor solutions.

According to the report, between 2010 and 2015 investors funded approximately 1,208 private cybersecurity startups in the US to the tune of over $7.3 billion. Each of these startups are doing their best to push their competitors out of the market, and they do so by over-promising and under-delivering on their proposals and offering “unreliable silver bullet solutions.”

The report also points to the bloating of the vendor market due to the availability and affordability of cloud architecture. “Software as a service (SaaS) delivery models have a very low barrier to entry,” it states. “This allowed for cybersecurity startups that promised to solve every problem imaginable or who created new problems to solve.”

CISOs, it recommends, can reduce solution overload by ignoring the hype surrounding a solution, and instead looking for the value offered and its relevance to the organisation’s security needs. “Rather than investing in innovative solutions, the CISO can adopt or customize tools that have already had lasting success in the industry.”

 

Communication difficulties

Communication with decision makers within one’s own organisation is one of the most important and exhausting responsibilities of a CISO, according to the report. It quotes a recent comment by William Lay, former CISO at the U.S. State Department, who said “The hardest thing about getting a new idea in is getting the old idea out and that’s particularly true in cybersecurity.”

“The CISO must defend their solution based on technological gaps and internal organisational risk tolerances”, states the report. In this defence, it suggests, the most influential tool that a CISO can leverage is a cyclical information security risk assessment “that identifies the critical assets of the organisation and defines the risk to those assets according to the current threat landscape.”

“Qualitative justifications can be used to persuade stakeholders that a solution is feasible, though quantitative metrics are more convincing and more easily understood by nontechnical audiences.”

The best thing perhaps that a CISO can do to ease their own stress is to understand and acknowledge their own limitations. CISOs and their information security teams, the report reminds us, cannot monitor every aspect of the organisation and threat landscape.

“Personnel become bogged down by data from log sources, information from endpoints, information from identity management systems, deep packet visibility, and internal and external threat intelligence.” Tools such as educational security awareness solutions can be used to change poor employee behaviours, and user behavioural analytics systems can be used to identify insider threats.

Back to Cyber

Follow us...

 

 

© 2015. Defsec Media Limited. All Rights Reserved.

Defsec on YouTube...