It doesn’t take a lot of imagination to arrive at the conclusion that being in charge of security for almost any organization is a stressful job. Every day there are more and more headlines about data breaches, the loss of intellectual property, targeted attacks and the list goes on.
While those headlines certainly highlight an outcome every security organization works to avoid, they only represent the surface of the challenges many security organizations face every day. One thing is for sure, being a Chief Information Security Officer (CISO) or security leader is not an easy job. Here are nine reasons why your security leader might just need a hug (or maybe just a thank you to make things a little less awkward).
1. People don’t understand us
Security is difficult, and security people are unique. They have a different way of looking at things. We try to get away from ‘techno garble,’ which isn’t important to the business. The business needs it in black and white, no theoretical things. -Chief Technology Officer, Insurance, 2013 CISO Assessment
For as technically gifted and curious as many in the security industry are, soft skills, like the ability to communicate haven’t really ever shared that same emphasis. Now, as business is more and more aware and interested in security challenges, they need someone who can plainly explain risks and industry is trying to play catch-up on that skill. That’s why the security conference scene now also has things like sessions dedicated to communications.
2. Skills and workforce are always changing
Surely in this rapidly expanding industry we have plenty of people with the right skills to match the opportunity of the market, right? Right? No, wrong.
Not only is there a shortage of the specialized skills required to combat today’s threats and effectively staff a security team, the entire industry was deemed not ready for professionalization because the space is changing so rapidly and the skills, requirements and backgrounds of the people you may want on your team are unpredictable in the context of standardization and professionalization. So, good luck building your team.
3. It’s hard to prove ROI
It’s very rare that I’ll walk into an organization and say, wow, those are some compelling measurements. -Kris Lovejoy
Malware infection rates. The speed at which patches are deployed and how many endpoints they can reach. These are security statistics that the security team might be very familiar with. However, security organizations have the difficult task of turning those statistics into something business people understand.
In our own CISO Assessment, we found that 2/3 of security leaders don’t translate metrics into financial impact because, “they either lack resources or the business requirement to do so, or it’s just too complex to calculate.”
It is also very difficult to estimate the overall costs associated with security breaches, but people seem to have settled on the fact that it’s probably a big number.
4. Stakeholders are all over the place
Managing a large and complex organization tasked with a difficult mission is hard enough, but the security team needs the additional skill of being able to influence organizations outside of their direct management, and they need to do it a lot. In the absence of being able to build one really big cyber wall around your infrastructure, which is of course not possible, it has become increasingly important to embed security into business and IT processes.
Doing so means you have to find a way to compel non-security people to follow security best practices. Not the easiest task in the world.
5. People don’t want to change
Virtually no one has read the original research that shows why culture — when clearly defined — is so important, how it is formed, and how it changes. -Forbes
Culture change can often be one of the most challenging elements for any business leader to drive within their own team or function. The security team is challenged with not only building a distinct culture within their own organization, including addressing any challenges like building practices around communications and business metrics, but to drive a more risk aware culture across an entire company. This is not only a daunting task, but a critically important one given that attackers frequently use spear phishing in the opening activities of their attacks.
6. People (lots of them!) are actively trying to sabotage you
Every organization faces competition, but working in security takes that to another level completely. Yes, perhaps in marketing one of your competitors is advertising on one of your favorite hashtags (thanks for that by the way), but it doesn’t compare to having to sit down every day and face off against everyone from opportunists, social activists, organized criminals, state-sponsored attackers and even terrorists.
Of course, this doesn’t even cover the people within your own organization, whether they be insider threats or employees who still love to click no matter how many times you tell them not to. While the latter group might not be actively trying to sabotage you, sometimes it really feels like it, especially when 93% of employees will just admit to violating policies meant to prevent breaches.
7. Everyone hates us
That pesky security team keeps telling us about security!
It’s no surprise that the biggest inhibitors to cloud and mobile technology continue to be risks associated with data loss and information security, but that’s really only the start of it. Employees don’t like mandatory training, they don’t like being told they can’t do things they want to do and it’s not like anyone ever has a sense of patience about these topics either. Security is a big hassle to everyone who doesn’t do security for living.
And of course the irony is that these are the good times. When something goes wrong, all those people who willfully admit to doing the wrong thing from a security perspective, well you know who they’re going to blame.
8. You can never win
“What have you done for me lately?”
Sure, almost every organization has some element of this mentality as teams focus on the next thing, the next product, the next quarter. But is there any other profession where the possibility for day-to-day change in perceived job performance is more potentially acute?
Of course, this situation assumes you have had the good fortune of detecting the person or organization infiltrating your systems, which, according to research (here, here), is not necessarily given at all!
9. Nothing can ever go wrong
This isn’t even as self-explanatory as it seems because the problem isn’t just security incidents. Try blocking revenue traffic and see what that response is like.
Everything is Terrible… But We Love It
At the end of the day many of the reasons why working in security is so challenging are also why it’s so rewarding and why the community is so close. There is no expectation that any battle will ever be done. There will always be a thin line that must be held between us and them. The skills and workforce are changing all the time, but the people are passionate and when they come together it’s “what every family reunion should be like.”
So while it might be nice to give your CISO, or anyone on your security team a hug (please comply with all workforce policy regarding hugs), there’s also a pretty good chance that they love what they do and wouldn’t have it any other way.
Except maybe they’d like some more budget. And a week more vacation. And if skills are so hard to find, about that raise…