EDITOR ’ S QUESTION
JIM DOGGETT , CISO , SEMPERIS
The cybersecurity job has always been one for the firefighters – it is nonstop . Its nature is also one of peaks or valleys : when a problem such as an attack or breach occurs , all hands are on deck until the problem is solved . However , there are steps we can take to make the security environment less stressful , more productive and more flexible , resulting in less burnout .
Firstly , it ’ s important to set clear expectations up front . In hiring , we often try to sell the perfect environment : exciting work , standard work schedules , low stress . Although these are things we all strive for , they are rarely the reality . The security professional ’ s career will always have times of heavy workload and stress . It doesn ’ t make sense to promise one thing and then deliver another .
Organisations should automate as much of their day-to-day operations as possible . Most security professionals spend too much time doing busy work : putting together reports , gathering data , preparing presentations . Not only is this unproductive , it ’ s boring work that can lead to dissatisfaction . This issue can be addressed only through automation . We have adopted the philosophy of implementing no new tools or processes unless they can be automated end-toend , so we can utilise our scarce resources doing security and not administrative work .
There also needs to be a bigger focus on the relationship between security , IT and business units . Often , the connections between these departments are not great , forcing security professionals to take on tasks and roles that should really belong to others . By focusing on these relationships , security professionals can garner their support , which will make life so much easier . This is a long-term effort , but it might be the biggest contributor to a security team ’ s satisfaction .
Finally , teams should always finish what they start before moving on to the next project . I ’ ve seen way too many ‘ security projects ’ that never seem to be finished . For example , you get new software installed , but between scope creep , tuning and impact to users , valuable resources remain focused on the project for far too long . Better planning can do much to help solve this issue , but security leadership must also define when the job is done and what is considered good enough .
THE CYBERSECURITY JOB HAS ALWAYS BEEN ONE FOR THE FIREFIGHTERS – IT IS NONSTOP .
Another important step is to bring risk management discipline into the core of the security strategy . Not only is eliminating all cybersecurity risks impossible , it isn ’ t costeffective either . This leads to continuous begging for a bigger budget . Instead , we should prioritise our risks based on impact to the business , allocate budget to the highest risks , and draw a line when the money is used up . Let the board or senior management decide if too much risk remains and warrants more budget .
www . intelligentcxo . com
21