Facing a worsening talent shortage and increasingly active and sophisticated attackers, cybersecurity practitioners are finding themselves stretched thin and overworked.
We saw major security incidents occur in 2021 such as the cyberattacks on SolarWinds, Microsoft Exchange, and Kaseya, which exacerbated stress leading to burnout of security professionals. By adopting the following strategy, organizations can empower security teams to operate more effectively, helping to alleviate stress and ensuring resiliency.
Elevate the CISO to report directly to the CEO
One of the most important cybersecurity lessons of the past decade has been that organizations must view cybersecurity as a cost of doing business rather than a peripheral concern. CEOs are expected to assess risk and make decisions accordingly, but too often cybersecurity risk is not being factored into the equation. Cyberattacks can cost organizations millions of dollars in loss of productivity, IP, or even ransom payments. As every cybersecurity professional knows, it’s not a matter of if a company will be attacked but when.
For CISOs without a direct line of communication to the CEO, communicating the seriousness of cybersecurity risks poses a major challenge. It is a difficult message to convey to an executive who might not be so amenable to the conversation in the first place. If a CISO is not able to impart a proper understanding of cybersecurity needs, it means they may not be able to secure the resources needed to run an effective security program. When security teams are strapped for resources, the load on each individual on the team increases. With the CISO reporting directly to the CEO, organizations can eliminate this barrier to communication, ensuring that CEOs are made aware of the full extent of cyber risk they face and allocate resources accordingly.
Improve relationships between security and developer teams
It is commonly understood that breaking down silos between security practitioners, IT, and software developers is an essential ingredient in a successful cybersecurity program. Yet this is something organizations continue to struggle with. In fact, 52% of developers think security policies stifle innovation, according to a recent study by Forrester. And only 22% of developers “strongly agree” they understand which security policies they are expected to comply with. Overall, relationships are still strained, with 37% saying their organization’s teams are not effectively collaborating or taking strides to strengthen relationships between security and development teams.
When developers and security teams are not on the same page, security risk multiplies. Networks can suffer from misconfigurations or inconsistent policy applications, and software can be released with vulnerabilities. These flaws become opportunities for hackers to breach a network and engage in a variety of costly attacks.
One way to improve the relationship between security teams and developers is to place security advocates on development teams. These team members should have an understanding of both security and software development and should serve as the bridge in communicating security needs to developers. These individuals should also play a role in helping security teams better understand the challenges of implementing new security policies or initiatives for their developer teammates. In this way, security becomes collaborative and plans become realistic, rather than security handing down one way directives to already swamped developers and demanding compliance.
Information-sharing, partnerships, and cooperation
The Biden administration recently ordered the majority of federal agencies to patch hundreds of cybersecurity vulnerabilities that are known to be exploited, where patches are available. This directive is one of the first steps taken by the Cybersecurity and Infrastructure Security Agency (CISA) and its Joint Cyber Defense Collaborative (JCDC), and we’ll likely see more of this public and private sector collaboration in 2022. Across recent federal hearings, discussions, and consultations, the thread most consistently pulled through was that organizations need to improve cooperation and information sharing, not only with the federal government but with each other as well.
The variety of threats an organization could fall victim to is too great for any one security team to guard against. Instead, strategies must be deployed with an eye towards efficiency, which means prioritizing threats that are more prevalent than others. This is where threat intelligence becomes vital, and threat intelligence is strongest when organizations communicate with each other about the types of attacks they are seeing “in the wild.”
With cyberattacks growing in sophistication and frequency, hardening systems is paramount to improve the security ecosystem and defend cyberspace globally. It’s critical that federal agencies have the tools they need to protect themselves and that they have visibility into threats that put the federal government at risk. Equipped with this information, security teams will be able to focus their defense on likely intrusion points, meaning their efforts will be more efficient and effective than if they were left to guess what form an attack might take.
The importance of a strategic vision
Cybersecurity burnout is a complex issue with many contributing factors, and I’ve only scratched the surface here. There are a number of other strategies and tips that focus on different aspects of the overall problem: purchasing the right tools or setting up training programs, etc. But the power of the steps outlined above is that they require little monetary investment to achieve, and instead suggest a shift in strategic direction. Cybersecurity is now an element of corporate responsibility and should be viewed as a function of conducting business rather than an expense. Your brand depends on it. Cybersecurity burnout is a major challenge, and like any major challenge, strategic organizational directives will be key to helping fend it off.
Tom Kellermann is Head of Cybersecurity Strategy at VMware.