Tasks that bog down security teams (and what to do about them)

Most CISOs know the challenges that come with budget and staffing constraints, and they don’t see them going away anytime soon. Recent research supports their concern — Proofpoint’s 2023 Voice of the CISO report found that 58% of global CISOs surveyed said the economic downturn heading into the year negatively impacted their organization’s cybersecurity budget, 61% said they face excess expectations and 60% experienced burnout during the prior year.

Meanwhile, surveys by security software company Tessian found that the current environment has most security pros working extra-long hours. One report found that security personnel work an average of 17 hours more than their contracted hours per week. Its CISO Lost Hours survey found that 18% of security leaders work 25 extra hours per week.

Challenges around budget and staffing constraints, as well as the recognition that cyber threats continue to rise, have many security execs thinking about how to be more efficient and more productive. To succeed in that quest, some have focused on reshaping tasks that, while necessary to perform, take more time than they’re worth. Here, security chiefs detail 10 activities that bogged down their teams and how they responded.

Security alerts

One of the most important tasks within a security program is responding to alerts, yet CISOs and their staff say this work can swamp them. A recent poll from security firm Censornet revealed that 47% of security professionals felt overwhelmed by the volume of alerts. A survey by Sapio Research for security software maker Vectra, found that 67% of security operations centers were unable to manage the number of daily alerts received.

Benjamin Dulieu, CISO of Duck Creek Technologies, says he can relate to such findings. “The manual effort to have to go in every time something is triggered can be draining,” he says. “There’s a massive time burn there just in that process alone. And most of these alerts are found to be nothing; they’re false positives. Yet it’s something we have to deal with. And that derails whatever was on the agenda for the day. It’s almost like having someone constantly ringing the doorbell.”

Dulieu contracted with a managed security service provider (MSSP) to take the task off his team. “Now I have a butler answering the doorbell,” he says, noting that the move frees up time and allows his workers to stay more focused and on schedule because they’re no longer being pulled away by alerts.

Other CISOs had similar experiences, with some also opting for MSSPs; others implemented intelligence and automation to reduce both the number of false positives as well as their team’s time on the task.

An overly restrictive default mode

CISOs sometimes restrict or even block the use of or access to technologies. Although they may have strong arguments for doing so, it can create more work for security teams than the work required to establish the right guardrails in the first place.

If you spend your time telling [other departments] what they can’t do without taking into account the business context, people will circumvent you and end up with an adversarial relationship where the rest of the business will avoid you,” says Greg Notch, CISO at Expel, a security software company. “Taking too hard of a stance will burn out your team, and you won’t be doing any of the work that really moves the needle,” he adds.

Notch speaks from experience, pointing to a situation that arose during his tenure at the National Hockey League (NHL), where he held several positions including senior vice president of IT and security.

When the marketing department was building a database of NHL fans “I identified that as a huge risk, and had privacy and security restrictions with how they were going to work with data that were overly restrictive and that made it difficult to even build the technology that marketing needed,” Notch says. “Marketing kept coming and asking for exceptions and our security team was spending hours a week fielding these [queries] so much so we hired someone specifically for that.”

 “We had applied way too much friction on the business. So, I took a step back and asked how we change so that the default answer isn’t No but Yes.” Notch reset security’s relationship with the rest of the organizational units, strived to be “super aligned with the objectives of the business,” more clearly articulated the business risks (not the security problems), and created “paved roads” that the business could follow to ensure security and still achieve its objectives.

(Over)reliance on go-to workers

Like many executives, Dulieu had a handful of go-to workers who were constantly being tapped for their insights and expertise. He saw several problems with that situation.

First, it was an inefficient use of his workers’ time, as it pulled those go-to workers away from planned, prioritized tasks while not adequately using employees who were working on less pressing projects.

Second, the situation created more inefficiencies in his staff. Dulieu says always using those go-to workers meant they were able to continuously build their expertise and knowledge, but it kept other workers from learning as much as they could. And all that combined could be bad for employee retention, he adds, as it could overburden some, leading to burnout, while undervaluing others who may see limited growth opportunities as a result.

To head off such problems and better balance his team’s time, Dulieu created SWAT teams. He assigned a team to each IT implementation and tasked them to develop a deep understanding of it, with those team members then responsible for fielding security-related questions about them. “That allows for cross-training and creates deeper bench strength,” Dulieu says.

Dulieu acknowledges that his approach isn’t “an overnight fix” but says it has had big payoffs. The approach spreads out expertise and, thus, a better balance of work for everyone. It has helped upskill more workers who are gaining more recognition — including spot bonuses. And all of that has helped boost retention efforts. That in turn created a more tenured and more efficient, team.

Going solo on vendor research

Dulieu says researching, selecting, and implementing new security tech can keep CISOs and their security teams buried in reviews and analyst reports, rather than providing the security services they’re actually hired to do. However, there’s no reason to do all that work alone.

Dulieu developed a strong working relationship with a value-added reseller (VAR), saying he relies on that company and its team of experts to do that legwork and advise him on the findings. “They bring a level of expertise; that’s the best of ‘value add.’ They spend the whole day assessing vendors. That’s only a portion of what I can do as CISO, but that’s all they do,” he says.

Dulieu says the partnership doesn’t eliminate all the steps he and his team need to take; for example, he still oversees the proof-of-concept work required when considering new tools. But the partnership has given him time back: Dulieu estimates that working with a VAR saves him and his team about 120 hours of work and speeds up the entire process by six weeks for each new implementation.

Requests for information

With security now a board-level concern and the focus of a growing number of regulations, today’s CISOs and their team members are spending a lot more time responding to questions about their security programs. Providing answers — whether to internal compliance teams who need the information to fulfil legal obligations or external business partners who want assurances — is now an expected part of the modern security department’s responsibilities. Yet it’s not the most effective use of worker time.

“It’s not only frustrating, but it also sucks up a lot of time,” says Kayne McGladrey, a senior member of the Institute of Electrical and Electronics Engineers (IEEE), a nonprofit professional association, and field CISO at Hyperproof. There are strategies for meeting security’s obligations to provide information without tying up CISOs and their teams too much, he and others say. McGladrey says automation is one such strategy, saying that “evidence of control operations should be automated, and evidence of effectiveness can also be automated.”

Another strategy: have information ready to provide. “Most CISOs spend an inordinate amount of time responding to security questionnaires, so to get ahead of that, share things like a SOC 2 report,” McGladrey says.

Mandatory security training

Jamil Farshchi, executive vice president and CISO at Equifax, says his team, despite being security professionals, had to attend the company’s mandatory annual security training that he, too, had to attend. “I thought, ‘Why am I wasting an hour?”

Frustrated by that lost time, Farshchi and his team developed and implemented a test-out process. They carefully crafted a collection of questions and designed a test that would randomly select 50 questions from various topics to present to each test-taker. If the worker scores high enough, thereby demonstrating a solid grasp on a full range of security practices, then he or she can opt out of the mandatory training.

Farshchi says he had executive support for the program. He notes, too, that his security team creates scorecards that rate worker and contractor security-related behaviors, so they can identify individuals whose actions indicate they need additional or targeted training. As a result, he says he was confident and able to demonstrate that the test-out approach didn’t increase risk for the company. He says the approach has given thousands of hours back to his security workers and the company as a whole.

Risk assessments and security evaluations with too many people involved

Farshchi says his company had an established process where planned technology projects underwent a chain of approvals before implementation, with multiple individuals or teams evaluating and assessing the plans. He had his team dive into why the process involved multiple teams and whether all those layers of assessment provided value. “What they found was that the value proposition was really low. We were doing a lot of work that provided little value, and it was causing capacity constraints on security,” Farshchi says. So he eliminated superfluous links in that approval chain.

Then he went further, automating security controls and creating a “fast pass” type program whereby development teams that consistently adhere to security requirements only need a security evaluation before final production. Those changes, Farshchi says, have turned back more time for security teams without increasing new risks.

Too many messages

Mike Manrod, CISO of Grand Canyon Education, had a problem with emails: Both he and his team were getting too many. When he stepped into his current CISO post, the security team’s general email account was receiving about a million emails a year from distribution lists, security systems sending alerts, and other sources. It’s a figure that Manrod immediately recognized as a burden on his team’s time as well as the email system (which crashed regularly when he first arrived on the job). As CISO, Manrod also received many of those messages in his own inbox, estimating that he got about 100,000 a year and required five to 10 hours a week to wade through.

He decided to reclaim some of that time for his team and himself by implementing a new security information and event management (SIEM) system. That cut down on the overall number of alerts coming from disparate systems. It also let the team create rules about what information could be displayed in dashboards and what information should be sent as alerts, further cutting down on email volume.

This work brought the number of emails in the general mailbox down to 95,000 annually. The emails were then prioritized, creating a more manageable system that saved workers from wading through unimportant information and instead let them focus on those that mattered most.

Communication requirements

Several CISOs list communication demands as another necessary task that can take a disproportionate amount of time and energy for the value it provides. They offer ideas on how to create a better balance.

Manrod, for example, says he has become more selective about the reports he produces. He continues to write reports he has identified as essential, such as those going to the board and other executives. But he dropped others, suspecting that some reports weren’t offering anything necessary and consequently wouldn’t be missed if they went away. “Usually nobody noticed it was gone,” he adds.

Farshchi also brought more efficiency to communication tasks by identifying and using those individuals who are strong communicators and skilled at developing presentations. “You have architects and engineers trying to put together slides and it’s just a trainwreck,” Farshchi says, admitting that he himself isn’t gifted at the task. “It takes me too long, and I’m not good at it.”

On the other hand, he says those who are talented communicators can not only develop security messaging faster, but they also typically produce a more quality product.

Reviewing suspicious emails

The security team at Lexmark has a mechanism for workers to report emails that they think might be phishing attempts. It’s an important security feature, given how pervasive and successful phishing attacks are these days, says CISO Bryan S. Willett. “If the user took the extra step to click the fish alert button, our goal in that process is to respond quickly to the user to say either ‘Yes, it was malicious, thanks for notifying us’ or ‘No, it’s not phishing,’” Willett says.

Yet Willett also saw how much time his security department was spending on this process. As a result, he created a more efficient way to review suspect emails. He had a worker study legitimate emails that had been tagged as suspicious and identify keywords that helped indicate they were, indeed, legitimate.

The worker used that data to create an automated tool that reviewed questionable messages and then advised the initial recipient whether an email was a legitimate message or was indeed a phish.

Willett says automating the review process “had real implications on the bandwidth of the team,” explaining that they clawed back significant amounts of their work hours that could then be used on higher-value security tasks.

Willett says his security team continues to fine-tune filters to ensure they’re stopping malicious emails without blocking legitimate ones — a constant balancing act. And he is implementing an AI-enabled commercial tool to replace his homegrown rules-based filter, expecting to add even more efficiency to the email review process.