Maksim Kabakou - Fotolia
Security Think Tank: Burnt out CISOs are a huge cyber risk
Cyber criminals are enjoying a boom during the Covid-19 pandemic, and security teams are working overtime as a result. How can security pros manage their increased workload, safeguard their mental wellbeing, and avoid burnout?
While the extraordinary times in which we find ourselves are creating challenges on many levels, some sectors of society are enjoying a boom.
Cyber criminals are among of the beneficiaries of coronavirus, as the lockdown forces people to adopt often unfamiliar practices, including working from home, that create openings in previously well-protected company infrastructures and networks.
IT security teams have their work cut out to ensure that the huge proportion of staff now working remotely are able to do so effectively, but without putting the organisation at risk from bad actors.
Like many sectors of the population, this increased workload, responsibility and weight of expectation puts them under huge pressure and increases the risk of mental health problems.
Here we look at some of the technical considerations that it’s easy to neglect. Addressing them can make a significant difference and, because they can be controlled and managed, provide security pros with the all-important reassurance that they are doing their job effectively. We also outline organisational and personal activities that will help to alleviate stress as far as is possible.
When one subject – in this case Covid-19 – dominates every aspect of life, it is easy for malicious players to use it as a route to phish critical details from organisations; a request for a corporate username or information that will ‘improve the work from home capability’, for example, may currently appear more legitimate than it might in normal circumstances.
The primary defence against this harmful activity is clear and constant communication, potentially reinforced with detective solutions such as endpoint detection and security information and event management (SIEM) to monitor for suspect activity that could be as a result of credentials being stolen.
For business operations to continue while everyone works from home, it is unlikely that enterprise information can remain within a controlled landscape – people will use IT assets in different ways via unsecured networks or personal devices. Making internal resources accessible only through secure virtual private networks (VPNs) needs to be considered, with the added check that these are, or can be, scaled appropriately.
The nature of remote working encourages a bring-your-own-device (BYOD) approach, which introduces another layer of uncertainty and additional considerations, including whether employees’ personal devices have the right security controls, such as patches and anti-virus software. People also need to be made aware of their obligations to keep the organisation’s critical information assets secure.
IT security professionals have the technical expertise to handle these issues. The difference is the scale at which deployments currently need to be carried out and the high-octane environment in which coronavirus is forcing people to operate.
The combination of heavy workload and high pressure, taken in conjunction with the finding in Nominet’s (pre Covid-19) CISO stress report that 71% of CISOs thought their work-life balance was poor, makes it clear that time needs to be devoted to looking after the mental health of IT security professionals. This can be done at an organisational and personal level.
New (temporary) ways of working
Security teams spend a lot of time in meetings discussing the status of a project, issues to overcome and the next steps, with the risk that there is limited time to investigate and resolve the issues in question.
Now more than ever, it is important to look at new ways of operating that reduce unnecessary workload and ensure conversations are targeted to deal with immediate issues.
One option is to temporarily change service-level agreements (SLAs) in line with the current threat situation. Formally agreeing to longer timeframes to address lower priority requests means the more critical actions can be carried out as required, without inflicting an excessive level of stress on the security team.
Collaboration and knowledge-sharing
The Covid-19 coronavirus pandemic has introduced new risk trends for security teams to handle – the increased demand for video-conferencing, for example, has resulted in the major issue of ‘Zoom-bombing’.
Covering these aspects alone can be daunting (and isn’t necessarily the best way to take down a cyber criminal). In contrast, collaborative brainstorming sessions to discuss the different threats and risks finds jointly sourced solutions and stimulates further discussion points. It also provides the opportunity for people to interact with colleagues.
Security teams therefore need to encourage knowledge-sharing, which also helps individual members manage workload (and ultimately avoid burn-out).
Time management techniques are vital to ensure workload is managed effectively and all members of the security team need to be encouraged to use these.
Examples include planning the day in advance via to-do lists/personal organisers, goal setting which allows a task to be completed over a set number of days, the avoidance of multi-tasking, and the use of time tracking software to allocate time appropriately during the day.
Security professionals also need to say ‘no’ to taking on pieces of work for which they don’t have time – the result of which will be poor or late execution that potentially increases the risk to the organisation and/or detrimental levels of stress to the individual.
Working and living at home
As referenced above, work-life balance is already an issue for security pros, and this is only going to be exacerbated by the current crisis. As well as the enormity of the situation, working at home makes it more likely for the domains to blur. When the commute is simply downstairs or across the landing, and there are limited opportunities for non-work activities, staying “in the office” is an easy option.
Practical but simple options include creating a personal, segregated workspace, or dressing for the office to adopt a work mindset. Sticking to normal working hours is also helpful, along with packing away a company laptop at the end of the day to avoid the temptation of an email check turning into several more hours of work-related tasks.
It’s also important to take enough breaks. In normal circumstances, this includes appropriate amounts of holiday to ‘recharge’, but even without the option to leave the house for anything other than essential activity, it’s critical to avoid spending the day chained to the desk. Time off refreshes the mind and allows for more effective and sharper decision-making in the long run.
Here, exercise – important at any time – is currently everyone’s friend. Fitting in even 30 minutes can seem counter-intuitive when there is already a daunting workload, but regular sessions improve productivity and provide the all-important break from the screen. Security professionals therefore need to build exercise into their daily routine.
It’s important that IT security team leaders acknowledge that the situation is extraordinary and schedule time for informal and personable discussions with team members to understand if people are struggling and find a joint resolution.
In turn, security professionals also need to be honest with their managers and other members of the team, communicating clearly if they are stressed and finding it difficult to manage. This is critical to all concerned – a burnt out security team is the biggest risk of all to an organisation.