Growing Complexity of Managing Enterprise Cybersecurity is Increasing CISO Fatigue and Burnout
A CISO’s life is complex, with business transformation, cloud adoption, working from home and use of mobile devices, and sometimes just too many solutions. Many see automation and AI as a partial solution.
The annual Cisco CISO benchmark report (PDF) examines what it means to be a CISO today by surveying 2,800 IT decision makers, and discussing issues with a panel of CISOs. The 2020 report found the growing complexity of managing corporate cybersecurity is increasing fatigue and burnout among CISOs. Worryingly, 42% of respondents defined cybersecurity fatigue as virtually giving up on proactively defending against malicious actors. Ninety-six percent said that the complexity of managing a multi-vendor environment is a major contributor to this fatigue.
This is not the first time that too many solutions has been highlighted as possibly counter-productive — in November 2019, a Forrester Tanium report suggested that too many best of breed security solutions could reduce a company’s overall security posture. “The devil in that detail is that rarely do the organizations figure out how they are going to leverage those tools effectively. It becomes difficult when you have too many of them.”
According to Cisco, a primary cause for too many solutions is the tendency to rely on technology to solve the problems of increased security complexity. “As organizations increasingly embrace digital transformation, CISOs are placing higher priority in adopting new security technologies to reduce exposure against malicious actors and threats,” comments Steve Martino, SVP and CISO at Cisco. “Often, many of these solutions don’t integrate, creating substantial complexity in managing their security environment.” In this sense, the perceived solution to the problem perpetuates the problem.
“To address this issue, security professionals will continue steady movement towards vendor consolidation, while increasing reliance on cloud security and automation to strengthen their security posture and reduce the risk of breaches,” continued Martino.
One concerning finding in the survey is that despite increasing exhortations to patch fully and promptly, 46% of organizations (up from 30% in last year’s survey) had an incident caused by an unpatched vulnerability. Of those respondents who reported a breach, 68% of those breached in this way lost 10,000 or more records. Only 41% of those who reported a breach through other causes lost 10,000 or more records.
Fifty-two percent of respondents said that securing the mobile workforce is very or extremely challenging (and this was before the coronavirus stimulus to working from home). Cisco suggests that adopting a zero-trust approach to authentication would solve many of the concerns currently voiced by the respondents (52% finding mobile devices to be challenging, 39% struggling to secure applications, and 52% saying that data in the public cloud is very or extremely challenging).
However, the primary components of a zero-trust solution are not well-implemented. Multi-factor authentication, which Cisco describes as a valuable zero-trust technology to secure the workforce, is currently used by only 27% of organizations. Micro-segmentation. another key component of zero-trust described as an approach to secure access of workloads, has been adopted by only 17% of the respondents. Implementing a zero-trust solution is difficult and time-consuming, and is a long-term project — but it is considered by many security experts to be a solid approach to cybersecurity.
Despite the increasing complexity of security, and the somewhat disappointing findings in some areas, the Cisco survey finds that security professionals have made positive steps to improve their security posture. Collaboration between network teams and security teams is high, with 91% of respondents reporting they are very or extremely collaborative.
Seventy-seven percent are planning to increase automation to simplify and speed up alert response times, while 86% say the use of cloud security has increased visibility into their networks.
Cisco’s own recommendations to the CISO community include a layered defense (that could help towards a zero-trust posture) that includes MFA, network segmentation, and endpoint protection. Improve visibility (which is always good advice), and get the basics of security hygiene right (including a robust patching regime); and to reduce complexity in both security practice and security tools by adopting an integrated platform approach.
Related: The (Re-)Emergence of Zero Trust