How to lessen the workload on the CISO and their team

“Security” and “overtime” go hand in hand. According to a recent survey, one in five CISOs works 65 hours a week, not the 38 or 40 written in their contract. Average overtime clocks in at 16 hours a week. The same is true for the rank-and-file infosec employees — roughly half complain of burnout due to constant stress and overwork. At the same time, staff shortages and budget constraints make it very hard to do the obvious thing: hire more people. But there are other options! We investigated the most time-consuming tasks faced by security teams, and how to speed them up.

Security alerts

The sure winner in the “timewaster” category is alerts generated by corporate IT and infosec systems. Since these systems often number in the dozens, they produce thousands of events that need to be handled. On average, a security expert has to review 23 alerts an hour — even off the clock. 38% of respondents admitted to having to respond to alerts at night.

What to do

1. Use more solutions from the same vendor. A centralized management console with an integrated alert system reduces the number of alarms and speeds up their processing.
2. Implement automation. For example, an XDR solution can automate typical analysis/response scenarios and reduce the number of alerts by combining disparate events into a single incident.
3. Leverage an MSSP, MDR service or commercial SoC. This is the most efficient way to flexibly scale alert handling. Full-time team members will be able to focus on building overall security and investigating complex incidents.

Emails with warnings

Notices from vendors and regulators and alerts from security systems get sent to the infosec team by email — often to a shared inbox. As a result, the same messages get read by several employees, including the CISO, and the time outlays can run to 5–10 hours a week.

What to do

1. Offload as many alerts as possible to specialized systems. If security products can send alerts to a SIEM or a dashboard, that’s better than email.
2. Use automation. Some typical emails can be analyzed using simple scripts and transformed into alerts in the dashboard. Emails that are unsuited to this method should be analyzed, scored for urgency and subject matter, and then moved to a specific folder or assigned to a designated employee. You don’t need an AI bot to complete this task; email-processing rules or simple scripts will do the job.

These approaches dramatically reduce the number of emails that require reading and fully manual processing by multiple experts.

Emails flagged by employees

Let’s end the email topic with a look at one last category of attention-seeking messages. If your company has carried out infosec training or is experiencing a major attack, many employees will consider it their duty to forward any suspicious-looking emails to the infosec team. If you have lots of eagle-eyed colleagues on your staff, your inbox will be overflowing.

What to do

1. Deploy reliable protection at the mail gateway level — this will significantly reduce the number of genuine phishing emails. With specialized defense mechanisms in place, you’ll defeat sophisticated targeted attacks as well. Of course, this will have no impact on the number of vigilant employees.
2. If your email security solution allows users to “report a suspicious email”, instruct your colleagues to use it so they don’t have to manually process such alerts.
3. Set up a separate email address for messages with employees’ suspicions so as to avoid mixing this category of emails with other security alerts.
4. If item 2 is not feasible, focus your efforts on automatically searching for known safe emails among those sent to the address for suspicious messages. These make up a large percentage, so the infosec team will only have to check the truly dangerous ones.

Prohibitions, risk assessments, and risk negotiations

As part of the job, the CISO must strike a delicate balance between information security, operational efficiency, regulatory compliance, and resource limitations. To improve security, infosec teams very often ban certain technologies, online services, data storage methods, etc., in the company. While such bans are inevitable and necessary, it’s important to regularly review how they impact the business and how the business adapts to them. You may find, for example, that an overly strict policy on personal data processing has resulted in that process being outsourced, or that a secure file-sharing service was replaced by something more convenient. As a result, infosec wastes precious time and energy clambering over obstacles: first negotiating the “must-nots” with the business, then discovering workarounds, and then fixing inevitable incidents and problems.

Even if such incidents do not occur, the processes for assessing risks and infosec requirements when launching new initiatives are multi-layered, involve too many people, and consume too much time for both the CISO and their team.

What to do

1. Avoid overly strict prohibitions. The more bans, the more time spent on policing them.
2. Maintain an open dialogue with key customers about how infosec controls impact their processes and performance. Compromise on technologies and procedures to avoid the issues described above.
3. Draw up standard documents and scenarios for recurring business requests (“build a website”, “collect a new type of information from customers”, etc.), giving key departments a simple and predictable way to solve their business problems with full infosec compliance.
4. Handle these business requests on a case-by-case basis. Teams that show a strong infosec culture can undergo security audits less frequently — only at the most critical phases of a project. This will reduce the time outlays for both the business and the infosec team.

Checklists, reports, and guidance documents

Considerable time is spent on “paper security” — from filling out forms for the audit and compliance departments to reviewing regulatory documents and assessing their applicability in practice. The infosec team may also be asked to provide information to business partners, who are increasingly focused on supply chain risks and demanding robust information security from their counterparties.

What to do

1. Invest time and effort in creating “reusable” documents, such as a comprehensive security whitepaper, a PCI Report on Compliance, or a SOC2 audit. Having such a document helps not only with regulatory compliance, but also with responding quickly to typical requests from counterparties.
2. Hire a subspecialist (or train someone from your team). Many infosec practitioners spend a disproportionate amount of time formulating ideas for whitepapers. Better to have them focus on practical tasks and have specially trained people handle the paperwork, checklists, and presentations.
3. Automate processes — this helps not only to shift routine control operations to machines but to correctly document them. For example, if the regulator requires periodic vulnerability scan reports, a one-off resource investment in an automatic procedure for generating compliant reports would make sense.

Selecting security technologies

New infosec tools appear monthly. Buying as many solutions as possible won’t only balloon the budget and the number of alerts, but also create a need for a separate, labor-intensive process for evaluating and procuring new solutions. Even leaving tenders and paperwork aside, the team will need to conduct market research, evaluate the contenders in depth, and then carry out pilot implementation.

What to do

1. Try to minimize the number of infosec vendors you use. A single-vendor approach tends to improve performance in the long run.
2. Include system integrators, VARs, or other partners in the evaluation and testing process when purchasing solutions. An experienced partner will help weed out unsuitable solutions at once, reducing the burden on in-house infosec during the pilot implementation.

Security training

Although various types of infosec training are mandatory for all employees, their ineffective implementation can overwhelm the infosec team. Typical problems: the entire training is designed and delivered in-house; a simulated phishing attack provokes a wave of panic and calls to infosec; the training isn’t tailored to the employees’ level, potentially leading to an absurd situation where infosec itself undergoes basic training because it’s mandatory for all.

What to do

Use an automated platform for employee training. This will make it easy to customize the content to the industry and the specifics of the department being trained. In terms of complexity, both the training materials and the tests adapt automatically to the employee’s level; and gamification increases the enjoyment factor, raising the successful completion rate.