pritha's Posts (578)

Sort by

Index : 

  1. Session brief
  2. Keypoints
  3. Watch Panel video (on-demand)
  4. Executive Summary

 

Session Brief : 

In this panel, industry experts discuss the growing need for 'The challenge of CISO burnout'. CISO is an operation extensive role, it gets harder with the rapid evolving vulnerability and solution landscape along with industry-specific skill-gap. 

CISO burnout is a serious issue and through this discussion, we try to find out the impact of this issue on organizations and individuals. CISOs are, on average, working 11 more hours than they’re contracted to work each week, with 10% working 20 to 24 hours extra a week. (References in blog here). CISO Role increased strain impacts tenure of CISO, lower engagement with other executives, less capacity to drive his/her team. Crucial areas like hiring, customer communication, professional development get hindered and ignored.

CISOs are overstretched (over-stressed hours per week, missing holidays etc). The staffing shortage and skill gap makes it harder. The ever-increasing threat and solution landscape make it harder to keep up and evolve infrastructure accordingly. Crucial areas of impact - tenure of CISO, lower engagement with other executives, less capacity to drive team. Crucial areas like hiring, customer communication, professional development get hindered and ignored

 


Session Keypoints : 

  • What causes stress
  • Better stress management
  • Better psychology. How do we manage our work better to reduce stress ?

 

Expert Panel (On-Demand) : 

 

 

Executive Summary & Pointers From The Discussion : 

 

PART 1.What Are The Causes Of Stress ? 

  • Stress happens because we have expectations and it doesn’t match reality
    Stress is what happens when expectations don’t match reality. CISO C-Level is to know whether you’re in the room when the board makes a decision. We believe security is a core function. We expect to be prioritised but in security most decisions are already made ahead. So for CISOs, there’s lots of re-work on decisions that were already made. It could be better if the input could be given much earlier.
    [Reference example from Hierarchy of needs]
  • Tools can help
    As a ciso, I went from 200 employees to a large company. Company newly went to IPO. You have to adjust to ‘something unexpected will happen’. It takes time to get the brain prepared for this type of environment. For Operational management - setting expectation and goals with team and board helps. Not done rightly, these can lead to more causes of stress
  • Fear of unknown
    As a CISO, you have to look at it, people will come in. Fear of unknown. Groomed in maturity

  • Manage Stress through 'Expectation Management' and 'Work Management'
    Be Proactive with expectations. Reactive with non-expectations. With more to do and less time....we must prioritize
    Think eachtime an incident happens - Do we need to react or be proactive about it ?
    You have limited resource - budget, team, skills. In this resource you have to do best to protect the business. You have to pass on the big picture down the team, so everyone owns and understands their part in the ssecurity strategy. Not just be tactical players. Goal is not to tick the activity checkbox & react but to know it happened and handle it and not be panicked about being fired etc. Goal is to protect company and keep business running. Setup process to report incidents and set exercises to handle them.

     

 

PART 2.How To Manage Stress Better Through Work Management ? 

  • Effective work ! Better editing. Remove fluff and focus on the most important thing
    For example 3rd party risk management .. How much time does the team spend on reading questionnaires and eventually never really ask what risk do they really add to the company ? 
    Focus on effective work. What is the minimum thing to give the maximum safety to the company (given budget and resources) ? What is this thing that is giving me stress and I am ding doing anything about it. Is anything else is more important than the things I am currently working on? If not, that’s gotta change. If there’s a conflict with the board or budget, address it, try to change it. [Reference book - start with a why]
  • Set expectation with the management. Be aligned to the senior management. Be transparent. Take feedback. Re-prioritize if necessary.
    Setting the right expectations (goal and objective) with the senior management. Sometimes we have a roadmap and things are dynamic. Sometimes it’s okay if some initiatives in the roadmap isn’t done. We are here to support the business and want to help the business succeed. So it’s okay sometimes if we re-prioritize and get some other things done. Senior management is happy if they have the right partner (CISO). Always be transparent. Constantly report the security status to yoru board
  • As a leader..be real, be vulnerable
    Be vulnerable. Be real. You can’t be setting a bar of 18 hours everyday..don’t set unrealistic expectations
    Lots of frameworks out there. For tactical things, use the frameworks. You need to setup your process, so you’re covered around the clock. Get services if you cannot setup the infrastructure. Marry the devsecops mentality. I fyour processes are right, you can handle it, you’re ready when the breach happens. Being prepared allows you to be calm. Make sure your staff takes credit for all success and you take the fall. It breeds loyalty, inspiration.
  • Gather the expectation from implementors and architects. Take valuable insight down the team.
    So there’s realistic expectation that you pass on to the management. Involve your team, so they have an understanding of the big picture. That’s how you retain talent and skill. CISOs work is to protect against breach. Our job is to help our team, empower them or we’re slowing down the efficiency of labour. Our core job in infrastructure to to help people do their job better. If we marry this concept of protecting and helping people do their job much better..it gives us less resistance and get more done.

 

 

 

 

PART 3.Better Psychology. How Do We Manage Our Work Better To Rediuce Stress ? 

 

Analogy - not having pain can be fatal too. Patients who can't feel pain might die due to something like excess bleeding (since they wouldn't feel pain, they wouldn't know the severity). Stress might look as an enemy. Let's see if we can look at it positively ?

  • Separate out what are you doing and YOU to keep stress at bay.
    You are not your job. You have so many more aspects to yourself. Be garteful.
  • Stress can be a friend. Stress is the warning system. It tells us 'Action Needed'. Take ample rest.
    Leanr to be grateful. End of day right 5 good things that happened
  • Don’t get attached to your role. Live in the gratitude level
    Remember you’re an individual. You shouldn’t tie it to a job you have. There’s so much more than your job. When you’re dealing with problems, recognise the level on the mood elevator. Live at the gratitude level
    [Reference - levels of mood elevator]
  • Stress can be unhealthy too. It is best tasted in the right mix.
    Like Right amount of Jesus and whiskey. Maintain the balance. Make sure you have the balance for everything else. Having the right culture at work, it’s okay if you don’t check emails for 8 hours. Take team members together on breaks..it’s important. Make sure you’re not leaving your team behind
  • I take stress as positive because I wanted to deal with it. From being a researcher to a CISO .. it was my choice
    I can also get back to being a researcher. It’s about right balance.
    Empower the team. Making them feel accountable is a big part. Take the stress and face it together as a team. Having constant discussion with peers (CISOs)..sharing thoughts, questions makes you realise you're not out there alone. All CISOs in your peer group would be facing similar challenges at work. You’ll see similar experiences. Talking about it makes you understand you’re not the only one.

 

Read more…

CISO burnout is a serious issue and through this discussion, we try to find out the impact of this issue on organizations and individuals. The CISO role is operation intensive and gruelling. In most cases CISOs remain in an organisation for about 1 to 2 years. The role is related to high stress levels and unrealistic organisational expectations. A study showed 90% of them were willing to take a pay cut for better work life balance. The problem is further compounded with connected devices and pandemic on board.

A study noted - Average tenure of a CISO is just 26 months due to high stress and burnout. The vast majority of interviewed CISO executives (88%) report high levels of stress, a third report stress-caused physical health issues, half report mental health issues.

CISOs are, on average, working 11 more hours than they’re contracted to work each week, with 10% working 20 to 24 hours extra a week. CISO Role increased strain impacts tenure of CISO, lower engagement with other executives, less capacity to drive his/her team. Crucial areas like hiring, customer communication, professional development get hindered and ignored. 

  • CISOs are overstretched (CISOs are, on average, working 11 more hours than they’re contracted to work each week)
  • The staffing shortage and skill gap makes it harder, CISOs have to manage operations
  • The ever-increasing threat landscape and solution landscape makes it harder to keep up and evolve infrastructure accordingly
  • CISO Role increased strain impacts tenure of CISO, lower engagement with other executives, less capacity to drive his/her team. Crucial areas like hiring, customer communication, professional development get hindered and ignored

 

Our upcoming panel discussion on 'The Challenge Of CISO Burnout' is Friday, February 25, at 11:30 AM ET (8:30 AM PT). Register Here To Join

 

 

Causes Of Burnout

A CISO role need juggling of many hats. They need a strong technical background, understanding of organization goals and need to be strong communicators and have good leadership skills

They are often responsible for : 

  • Driving cybersecurity strategy
  • Managing reporting, security infrastructure
  • Understanding legal and regulatory considerations

 

Unrealictic Expectations Of Foolproof Security

An organization needs strong security procedures and detection mechanisms. However, there is no foolproofing. 
Cybersecurity has become an area of interest of board of directors since security breaches are directly related to brand image loss and customer loss (not mentioning the finanacial implication that can be huge). And the CISO often becomes the scapegoat.

 

A Few Possible Solution Areas

  • Cybersecurity Maturity Assessment. This gives a relative idea of where an organization's security weakness and strengths stand
  • Frequent testing
  • Frequent (if possible real time) attack surface testing
  • Dark web assessment. This allows to be aware of any leaked data or sensitive data in the dark web
  • Communicate clearly during stress. This allows for the CISO and the security team to discuss their issues. Management can allow for more relaxed times and breaks in the schedule to make the long hours efficient and not stressful
  • Oragnizational culture shift : have realistic expectations (have acceptable levels of risk), encourage efficient working over longer hours & more
  • Bump up and contribute towards security skill training. The talent shortae is reeking

 

References

 

 

(Panel)%20The%20Challenge%20Of%20CISO%20Burnout.png?profile=RESIZE_400xOur upcoming panel discussion on 'The Challenge Of CISO Burnout' is Friday, February 25, at 11:30 AM ET (8:30 AM PT).

In this panel, industry experts discuss the growing need for 'The challenge of CISO burnout'. CISO is an operation extensive role, it gets harder with the rapid evolving vulnerability and solution landscape along with industry-specific skill-gap. CISO Role increased strain impacts tenure of CISO, lower engagement with other executives, less capacity to drive his/her team. Crucial areas like hiring, customer communication, professional development get hindered and ignored

 Can't make it to the live discussion ? You can still register to get the on-demand link post discussion. 

>> Register Here To Join

 

 

Read more…

Log4j%201.png

We're talking about the latest Java-based vulnerability CVE-2021-44228. Recently, a critical Zero-day vulnerability has been found in log4j which permits Remote Code Execution (RCE) allowing the attackers to get remote access. The Vulnerability got a severity score of 10 out of 10 and several national cybersecurity agencies, including CISA, NCSC and others have issued warnings and emphasized that organizations must “discover unknown instances of Log4j” in addition to patching.

CVE-2021-44228 impacts any organization using Apache Log4j framework including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others.

>> Discover log4j exposure (by FireCompass)

 

  

 

 About The Log4j vulnerability :  

According to the National Vulnerability Database, “Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.” An attacker can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. However, this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

 

The Impact of Log4j vulnerability:

Just to put it in perspective, the scan result of Maven Central by Google's Open Source Insights Team, found that almost 8% of packages in the repo have at least one version that is affected by the log4j vulnerability.

Within a week of the exposure of the vulnerability, more than 1 million attacks were attempted and more than 44% of corporate networks worldwide were targeted. And this is just the beginning - the worst of the cyber attacks may actually be months into the future since sophisticated attackers normally create a backdoor, steal credentials and try to bypass security tools and wait for the right time to strike. The nation state-backed hacking groups are also spotted attempting to leverage Log4j.

>> Discover log4j exposure (by FireCompass)

  

How to Protect : 

CISA recommends all organizations upgrade to log4j version 2.15.0 or complete their appropriate vendor recommended mitigation along with the following steps:

  1. Enumerate any external facing devices that have log4j installed*
    *Note: Check for platforms that can hunt Log4j vulnerabilities in both known & shadow IT assets
  2. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
  3. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.

>> Discover log4j exposure (by FireCompass)

 

 

 

Some Important Updates : 

You can try to determine whether your organization's products with Log4j are vulnerable by following the chart below:
Log4j%202.png

While we are writing this article, the Apache Software Foundation has released a patch for a third vulnerability in Log4j. Version 2.17.0 of the software was released on December 17 after issues were discovered with the previous release (2.16). Apache said that 2.16 does not always protect from infinite recursion in lookup evaluation and is vulnerable to CVE-2021-45105, a denial of service vulnerability.

 

 

Important Resources:

Read more…