Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

CISOs Suffering From Increasingly Complex Workload: Cisco

Growing Complexity of Managing Enterprise Cybersecurity is Increasing CISO Fatigue and Burnout

A CISO’s life is complex, with business transformation, cloud adoption, working from home and use of mobile devices, and sometimes just too many solutions. Many see automation and AI as a partial solution.

Growing Complexity of Managing Enterprise Cybersecurity is Increasing CISO Fatigue and Burnout

A CISO’s life is complex, with business transformation, cloud adoption, working from home and use of mobile devices, and sometimes just too many solutions. Many see automation and AI as a partial solution.

The annual Cisco CISO benchmark report (PDF) examines what it means to be a CISO today by surveying 2,800 IT decision makers, and discussing issues with a panel of CISOs. The 2020 report found the growing complexity of managing corporate cybersecurity is increasing fatigue and burnout among CISOs. Worryingly, 42% of respondents defined cybersecurity fatigue as virtually giving up on proactively defending against malicious actors. Ninety-six percent said that the complexity of managing a multi-vendor environment is a major contributor to this fatigue.

This is not the first time that too many solutions has been highlighted as possibly counter-productive — in November 2019, a Forrester Tanium report suggested that too many best of breed security solutions could reduce a company’s overall security posture. “The devil in that detail is that rarely do the organizations figure out how they are going to leverage those tools effectively. It becomes difficult when you have too many of them.”

According to Cisco, a primary cause for too many solutions is the tendency to rely on technology to solve the problems of increased security complexity. “As organizations increasingly embrace digital transformation, CISOs are placing higher priority in adopting new security technologies to reduce exposure against malicious actors and threats,” comments Steve Martino, SVP and CISO at Cisco. “Often, many of these solutions don’t integrate, creating substantial complexity in managing their security environment.” In this sense, the perceived solution to the problem perpetuates the problem.

Read MoreVerizon, AT&T CISOs Talk Communications Sector Security

“To address this issue, security professionals will continue steady movement towards vendor consolidation, while increasing reliance on cloud security and automation to strengthen their security posture and reduce the risk of breaches,” continued Martino.

One concerning finding in the survey is that despite increasing exhortations to patch fully and promptly, 46% of organizations (up from 30% in last year’s survey) had an incident caused by an unpatched vulnerability. Of those respondents who reported a breach, 68% of those breached in this way lost 10,000 or more records. Only 41% of those who reported a breach through other causes lost 10,000 or more records.

Advertisement. Scroll to continue reading.

Fifty-two percent of respondents said that securing the mobile workforce is very or extremely challenging (and this was before the coronavirus stimulus to working from home). Cisco suggests that adopting a zero-trust approach to authentication would solve many of the concerns currently voiced by the respondents (52% finding mobile devices to be challenging, 39% struggling to secure applications, and 52% saying that data in the public cloud is very or extremely challenging).

However, the primary components of a zero-trust solution are not well-implemented. Multi-factor authentication, which Cisco describes as a valuable zero-trust technology to secure the workforce, is currently used by only 27% of organizations. Micro-segmentation. another key component of zero-trust described as an approach to secure access of workloads, has been adopted by only 17% of the respondents. Implementing a zero-trust solution is difficult and time-consuming, and is a long-term project — but it is considered by many security experts to be a solid approach to cybersecurity.

Despite the increasing complexity of security, and the somewhat disappointing findings in some areas, the Cisco survey finds that security professionals have made positive steps to improve their security posture. Collaboration between network teams and security teams is high, with 91% of respondents reporting they are very or extremely collaborative. 

Seventy-seven percent are planning to increase automation to simplify and speed up alert response times, while 86% say the use of cloud security has increased visibility into their networks.

Cisco’s own recommendations to the CISO community include a layered defense (that could help towards a zero-trust posture) that includes MFA, network segmentation, and endpoint protection. Improve visibility (which is always good advice), and get the basics of security hygiene right (including a robust patching regime); and to reduce complexity in both security practice and security tools by adopting an integrated platform approach.

Related: Verizon, AT&T CISOs Talk Communications Sector Security

Related: The (Re-)Emergence of Zero Trust 

Related: Investment in Privacy Pays Cybersecurity Dividends: Cisco 

Related: Cisco Unveils SecureX Security Platform

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem