It’s clear from media articles that new CISOs need to make an immediate impact on their organization’s security program in the first 90 days with action items such as “make a quarterly plan for the next year”.
When you compare this to the typical day of a CISO, there’s not a spare moment to work on anything outside of maintaining the existing security infrastructure or dealing with the fire drill of the moment. So how can you be proactive when you’re so busy being reactive? Here are some ideas for how to get out of the reactive mode so you can focus on proactive security measures.
Suppose there’s a project that needs to be done that has management support and funding…for example, building a risk management program for using cloud services. There are two approaches for managing the project – either free up staff to focus on it or bring in outside expertise to complete the project.
Finding more time for your security team requires change, and considering outsourcing some team activities can be part of that change:
Firewalls, VPN concentrators, other ingress/egress controls: There are many vendors that can manage these border protection devices. Not only can this save time for your team, you may also experience a better audit trail of changes to these devices by using an outside vendor.
Log management and monitoring: Using a vendor to manage log servers may allow you to revisit why those servers are in place. Some organizations lose sight of using logs (reviews, automated or otherwise) in the day-to-day activities of keeping servers working and the rest of the organization sending in logs.
Vulnerability scanning: An outside vendor can save you the time spent on managing a vulnerability scanning infrastructure and also provide a stronger focus on fixing identified problems.
When looking for vendors to help with these projects, it’s typically most efficient to identify the ones that use the technology you’re using today. This makes the transition easier and allows the staff that managed these activities in-house to manage the vendor more effectively.
Even after you transition some in-house responsibilities to vendors you may still need to consider hiring outside help for other projects simply because there’s not enough staff time or specific security framework expertise to get the job done.
There are a couple options to consider:
Do you hire an outside firm to manage the project in its entirety?
Do you hire an outside firm to augment your staff, allowing them to taking over enough of the day-to-day work to allow your staff to lead the project?
There are many items to consider for each option. But given the extremely high demand for information security skills today and your need to keep your team intact, you might consider option 2 as a way to give your staff interesting work so they stay on board as opposed to watching “the consultants” come in and do the work they likely wanted to perform.
Either option requires funding, which may not be available. A common approach that we see is to use your security advisory firm to help justify the necessary funding for cyber risk and cybersecurity programs. We have collective knowledge from working with many organizations on strengthening their cyber security posture that can help with securing support for security projects from the executive team.
We help clients with both approaches. While the majority of our work requires us to manage the entire project, we also do a lot of staff augmentation projects – everything from providing an interim CISO for organizations that need to develop an information security plan, to providing skilled security specialist(s) that work under the direction of the CISO on a temporary basis.
If your security team struggles with the day-to-day grind and fire drills, and rarely finds the time to be proactive despite your best intentions, contact us to discuss your specific needs and we can develop a plan for success.