Dulieu acknowledges that his approach isn’t “an overnight fix” but says it has had big payoffs. The approach spreads out expertise and, thus, a better balance of work for everyone. It has helped upskill more workers who are gaining more recognition — including spot bonuses. And all of that has helped boost retention efforts. That in turn created a more tenured and more efficient, team.
Going solo on vendor research
Dulieu says researching, selecting, and implementing new security tech can keep CISOs and their security teams buried in reviews and analyst reports, rather than providing the security services they’re actually hired to do. However, there’s no reason to do all that work alone.
Dulieu developed a strong working relationship with a value-added reseller (VAR), saying he relies on that company and its team of experts to do that legwork and advise him on the findings. “They bring a level of expertise; that’s the best of ‘value add.’ They spend the whole day assessing vendors. That’s only a portion of what I can do as CISO, but that’s all they do,” he says.
Dulieu says the partnership doesn’t eliminate all the steps he and his team need to take; for example, he still oversees the proof-of-concept work required when considering new tools. But the partnership has given him time back: Dulieu estimates that working with a VAR saves him and his team about 120 hours of work and speeds up the entire process by six weeks for each new implementation.
Requests for information
With security now a board-level concern and the focus of a growing number of regulations, today’s CISOs and their team members are spending a lot more time responding to questions about their security programs. Providing answers — whether to internal compliance teams who need the information to fulfil legal obligations or external business partners who want assurances — is now an expected part of the modern security department’s responsibilities. Yet it’s not the most effective use of worker time.
“It’s not only frustrating, but it also sucks up a lot of time,” says Kayne McGladrey, a senior member of the Institute of Electrical and Electronics Engineers (IEEE), a nonprofit professional association, and field CISO at Hyperproof. There are strategies for meeting security’s obligations to provide information without tying up CISOs and their teams too much, he and others say. McGladrey says automation is one such strategy, saying that “evidence of control operations should be automated, and evidence of effectiveness can also be automated.”
Another strategy: have information ready to provide. “Most CISOs spend an inordinate amount of time responding to security questionnaires, so to get ahead of that, share things like a SOC 2 report,” McGladrey says.
Mandatory security training
Jamil Farshchi, executive vice president and CISO at Equifax, says his team, despite being security professionals, had to attend the company’s mandatory annual security training that he, too, had to attend. “I thought, ‘Why am I wasting an hour?”
Frustrated by that lost time, Farshchi and his team developed and implemented a test-out process. They carefully crafted a collection of questions and designed a test that would randomly select 50 questions from various topics to present to each test-taker. If the worker scores high enough, thereby demonstrating a solid grasp on a full range of security practices, then he or she can opt out of the mandatory training.
Farshchi says he had executive support for the program. He notes, too, that his security team creates scorecards that rate worker and contractor security-related behaviors, so they can identify individuals whose actions indicate they need additional or targeted training. As a result, he says he was confident and able to demonstrate that the test-out approach didn’t increase risk for the company. He says the approach has given thousands of hours back to his security workers and the company as a whole.
Risk assessments and security evaluations with too many people involved
Farshchi says his company had an established process where planned technology projects underwent a chain of approvals before implementation, with multiple individuals or teams evaluating and assessing the plans. He had his team dive into why the process involved multiple teams and whether all those layers of assessment provided value. “What they found was that the value proposition was really low. We were doing a lot of work that provided little value, and it was causing capacity constraints on security,” Farshchi says. So he eliminated superfluous links in that approval chain.
Then he went further, automating security controls and creating a “fast pass” type program whereby development teams that consistently adhere to security requirements only need a security evaluation before final production. Those changes, Farshchi says, have turned back more time for security teams without increasing new risks.
Too many messages
Mike Manrod, CISO of Grand Canyon Education, had a problem with emails: Both he and his team were getting too many. When he stepped into his current CISO post, the security team’s general email account was receiving about a million emails a year from distribution lists, security systems sending alerts, and other sources. It’s a figure that Manrod immediately recognized as a burden on his team’s time as well as the email system (which crashed regularly when he first arrived on the job). As CISO, Manrod also received many of those messages in his own inbox, estimating that he got about 100,000 a year and required five to 10 hours a week to wade through.
He decided to reclaim some of that time for his team and himself by implementing a new security information and event management (SIEM) system. That cut down on the overall number of alerts coming from disparate systems. It also let the team create rules about what information could be displayed in dashboards and what information should be sent as alerts, further cutting down on email volume.
This work brought the number of emails in the general mailbox down to 95,000 annually. The emails were then prioritized, creating a more manageable system that saved workers from wading through unimportant information and instead let them focus on those that mattered most.
Several CISOs list communication demands as another necessary task that can take a disproportionate amount of time and energy for the value it provides. They offer ideas on how to create a better balance.
Manrod, for example, says he has become more selective about the reports he produces. He continues to write reports he has identified as essential, such as those going to the board and other executives. But he dropped others, suspecting that some reports weren’t offering anything necessary and consequently wouldn’t be missed if they went away. “Usually nobody noticed it was gone,” he adds.
Farshchi also brought more efficiency to communication tasks by identifying and using those individuals who are strong communicators and skilled at developing presentations. “You have architects and engineers trying to put together slides and it’s just a trainwreck,” Farshchi says, admitting that he himself isn’t gifted at the task. “It takes me too long, and I’m not good at it.”
On the other hand, he says those who are talented communicators can not only develop security messaging faster, but they also typically produce a more quality product.
Reviewing suspicious emails
The security team at Lexmark has a mechanism for workers to report emails that they think might be phishing attempts. It’s an important security feature, given how pervasive and successful phishing attacks are these days, says CISO Bryan S. Willett. “If the user took the extra step to click the fish alert button, our goal in that process is to respond quickly to the user to say either ‘Yes, it was malicious, thanks for notifying us’ or ‘No, it’s not phishing,'” Willett says.
Yet Willett also saw how much time his security department was spending on this process. As a result, he created a more efficient way to review suspect emails. He had a worker study legitimate emails that had been tagged as suspicious and identify keywords that helped indicate they were, indeed, legitimate.
The worker used that data to create an automated tool that reviewed questionable messages and then advised the initial recipient whether an email was a legitimate message or was indeed a phish.
Willett says automating the review process “had real implications on the bandwidth of the team,” explaining that they clawed back significant amounts of their work hours that could then be used on higher-value security tasks.
Willett says his security team continues to fine-tune filters to ensure they’re stopping malicious emails without blocking legitimate ones — a constant balancing act. And he is implementing an AI-enabled commercial tool to replace his homegrown rules-based filter, expecting to add even more efficiency to the email review process.