{"id":49055,"date":"2023-09-18T09:19:57","date_gmt":"2023-09-18T13:19:57","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=49055"},"modified":"2023-09-18T11:50:22","modified_gmt":"2023-09-18T15:50:22","slug":"cybersecurity-team-and-ciso-workload","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/cybersecurity-team-and-ciso-workload\/49055\/","title":{"rendered":"How to lessen the workload on the CISO and their team"},"content":{"rendered":"

\u201cSecurity\u201d and \u201covertime\u201d go hand in hand. According to a recent survey, one in five CISOs works 65 hours a week<\/a>, not the 38 or 40 written in their contract. Average overtime clocks in at 16 hours a week. The same is true for the rank-and-file infosec employees \u2014 roughly half complain of burnout due to constant stress and overwork. At the same time, staff shortages and budget constraints make it very hard to do the obvious thing: hire more people. But there are other options! We investigated the most time-consuming tasks faced by security teams, and how to speed them up.<\/p>\n

Security alerts<\/h2>\n

The sure winner in the \u201ctimewaster\u201d category is alerts generated by corporate IT and infosec systems. Since these systems often number in the dozens, they produce thousands of events that need to be handled. On average, a security expert has to review 23 alerts an hour<\/a> \u2014 even off the clock. 38% of respondents admitted to having to respond to alerts at night.<\/p>\n

What to do<\/strong><\/p>\n

    \n
  1. Use more solutions from the same vendor. A centralized management console with an integrated alert system reduces the number of alarms and speeds up their processing.<\/li>\n
  2. Implement automation. For example, an XDR solution can automate typical analysis\/response scenarios and reduce the number of alerts by combining disparate events into a single incident.<\/li>\n
  3. Leverage an MSSP, MDR service or commercial SoC<\/a>. This is the most efficient way to flexibly scale alert handling. Full-time team members will be able to focus on building overall security and investigating complex incidents.<\/li>\n<\/ol>\n

    Emails with warnings<\/h2>\n

    Notices from vendors and regulators and alerts from security systems get sent to the infosec team by email \u2014 often to a shared inbox. As a result, the same messages get read by several employees, including the CISO, and the time outlays can run to 5\u201310 hours a week.<\/p>\n

    What to do<\/strong><\/p>\n

      \n
    1. Offload as many alerts as possible to specialized systems. If security products can send alerts to a SIEM or a dashboard, that\u2019s better than email.<\/li>\n
    2. Use automation. Some typical emails can be analyzed using simple scripts and transformed into alerts in the dashboard. Emails that are unsuited to this method should be analyzed, scored for urgency and subject matter, and then moved to a specific folder or assigned to a designated employee. You don\u2019t need an AI bot to complete this task; email-processing rules or simple scripts will do the job.<\/li>\n<\/ol>\n

      These approaches dramatically reduce the number of emails that require reading and fully manual processing by multiple experts.<\/p>\n

      Emails flagged by employees<\/h2>\n

      Let\u2019s end the email topic with a look at one last category of attention-seeking messages. If your company has carried out infosec training or is experiencing a major attack, many employees will consider it their duty to forward any suspicious-looking emails to the infosec team. If you have lots of eagle-eyed colleagues on your staff, your inbox will be overflowing.<\/p>\n

      What to do<\/strong><\/p>\n

        \n
      1. Deploy reliable protection at the mail gateway level<\/a> \u2014 this will significantly reduce the number of genuine<\/strong> phishing emails. With specialized defense mechanisms in place, you\u2019ll defeat sophisticated targeted attacks as well. Of course, this will have no impact on the number of vigilant employees.<\/li>\n
      2. If your email security solution allows users to \u201creport a suspicious email\u201d, instruct your colleagues to use it so they don\u2019t have to manually process such alerts.<\/li>\n
      3. Set up a separate email address for messages with employees\u2019 suspicions so as to avoid mixing this category of emails with other security alerts.<\/li>\n
      4. If item 2 is not feasible, focus your efforts on automatically searching for known safe emails among those sent to the address for suspicious messages. These make up a large percentage, so the infosec team will only have to check the truly dangerous ones.<\/li>\n<\/ol>\n

        Prohibitions, risk assessments, and risk negotiations<\/h2>\n

        As part of the job, the CISO must strike a delicate balance between information security, operational efficiency, regulatory compliance, and resource limitations. To improve security, infosec teams very often ban certain technologies, online services, data storage methods, etc., in the company. While such bans are inevitable and necessary, it\u2019s important to regularly review how they impact the business and how the business adapts to them. You may find, for example, that an overly strict policy on personal data processing has resulted in that process being outsourced, or that a secure file-sharing service was replaced by something more convenient. As a result, infosec wastes precious time and energy clambering over obstacles: first negotiating the \u201cmust-nots\u201d with the business, then discovering workarounds, and then fixing inevitable incidents and problems.<\/p>\n

        Even if such incidents do not occur, the processes for assessing risks and infosec requirements when launching new initiatives are multi-layered, involve too many people, and consume too much time for both the CISO and their team.<\/p>\n

        What to do<\/strong><\/p>\n

          \n
        1. Avoid overly strict prohibitions. The more bans, the more time spent on policing them.\n<\/li>
        2. Maintain an open dialogue with key customers about how infosec controls impact their processes and performance. Compromise on technologies and procedures to avoid the issues described above.<\/li>\n
        3. Draw up standard documents and scenarios for recurring business requests (\u201cbuild a website\u201d, \u201ccollect a new type of information from customers\u201d, etc.), giving key departments a simple and predictable way to solve their business problems with full infosec compliance.<\/li>\n
        4. Handle these business requests on a case-by-case basis. Teams that show a strong infosec culture can undergo security audits less frequently \u2014 only at the most critical phases of a project. This will reduce the time outlays for both the business and the infosec team.<\/li>\n<\/ol>\n

          Checklists, reports, and guidance documents<\/h2>\n

          Considerable time is spent on \u201cpaper security\u201d \u2014 from filling out forms for the audit and compliance departments to reviewing regulatory documents and assessing their applicability in practice. The infosec team may also be asked to provide information to business partners, who are increasingly focused on supply chain risks and demanding robust information security from their counterparties.<\/p>\n

          What to do<\/strong><\/p>\n

            \n
          1. Invest time and effort in creating \u201creusable\u201d documents, such as a comprehensive security whitepaper, a PCI Report on Compliance, or a SOC2 audit<\/a>. Having such a document helps not only with regulatory compliance, but also with responding quickly to typical requests from counterparties.<\/li>\n
          2. Hire a subspecialist (or train someone from your team). Many infosec practitioners spend a disproportionate amount of time formulating ideas for whitepapers. Better to have them focus on practical tasks and have specially trained people handle the paperwork, checklists, and presentations.<\/li>\n
          3. Automate processes \u2014 this helps not only to shift routine control operations to machines but to correctly document them. For example, if the regulator requires periodic vulnerability scan reports, a one-off resource investment in an automatic procedure for generating compliant reports would make sense.<\/li>\n<\/ol>\n

            Selecting security technologies<\/h2>\n

            New infosec tools appear monthly. Buying as many solutions as possible won\u2019t only balloon the budget and the number of alerts, but also create a need for a separate, labor-intensive process for evaluating and procuring new solutions. Even leaving tenders and paperwork aside, the team will need to conduct market research, evaluate the contenders in depth, and then carry out pilot implementation.<\/p>\n

            What to do<\/strong><\/p>\n

              \n
            1. Try to minimize the number of infosec vendors you use. A single-vendor approach tends to improve performance in the long run.\n<\/li>
            2. Include system integrators, VARs, or other partners in the evaluation and testing process when purchasing solutions. An experienced partner will help weed out unsuitable solutions at once, reducing the burden on in-house infosec during the pilot implementation.<\/li>\n<\/ol>\n

              Security training<\/h2>\n

              Although various types of infosec training are mandatory for all employees, their ineffective implementation can overwhelm the infosec team. Typical problems: the entire training is designed and delivered in-house; a simulated phishing attack provokes a wave of panic and calls to infosec; the training isn\u2019t tailored to the employees\u2019 level, potentially leading to an absurd situation where infosec itself undergoes basic training because it\u2019s mandatory for all.<\/p>\n

              What to do<\/strong><\/p>\n

              Use an automated platform<\/a> for employee training. This will make it easy to customize the content to the industry and the specifics of the department being trained. In terms of complexity, both the training materials and the tests adapt automatically to the employee\u2019s level; and gamification increases the enjoyment factor, raising the successful completion rate.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

              What tasks needlessly overload infosec experts, and how to break the curse of overtime.<\/p>\n","protected":false},"author":2722,"featured_media":49056,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[2431,2464,4228,131,1795,3797],"class_list":{"0":"post-49055","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-ciso","10":"tag-siem","11":"tag-strategy","12":"tag-tips","13":"tag-training","14":"tag-xdr"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cybersecurity-team-and-ciso-workload\/49055\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/cybersecurity-team-and-ciso-workload\/26215\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cybersecurity-team-and-ciso-workload\/21674\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cybersecurity-team-and-ciso-workload\/28913\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cybersecurity-team-and-ciso-workload\/26523\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cybersecurity-team-and-ciso-workload\/36113\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/cybersecurity-team-and-ciso-workload\/26797\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cybersecurity-team-and-ciso-workload\/32524\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cybersecurity-team-and-ciso-workload\/32178\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/strategy\/","name":"strategy"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=49055"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49055\/revisions"}],"predecessor-version":[{"id":49060,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49055\/revisions\/49060"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/49056"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=49055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=49055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=49055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}