CISOs and the race against time: how to get out of it?

CISOs and the race for time - is it anecdotal? According to a survey of 800 CISOs conducted by Nominet in autumn 2019, 95% of CISOs would exceed their working hours by around 10 hours a week. Of course, part of the reason for this is the skills shortage in cybersecurity. But that's not the only reason! On a day-to-day basis, this race against time is due to cultural and organizational problems that slow down CISOs. Fortunately, solutions now exist to help them regain their composure and efficiency.

Share

Why time is a headache for CISOs

The CISO is not a superhero (although... we talk about that here), so to try and solve a problem, you need to identify the cause. So, in this "CISO and the race against time" challenge, what are the reasons why CISOs always have that unpleasant feeling of "never doing enough"?

Working time split between several missions

As cyber risks affect all areas of business and all levels of the organization, the CISO is involved across the board, which explains the breakdown of his or her working time as follows (figures taken from the 2020 edition of CLUSIF's "IT Threats and Security Practices in France" study):

  • Technical aspects (security architecture, project management, etc.): 29%.
  • Functional aspects (risk analysis, security policy, etc.): 25%.
  • Operational aspects (rights management, administration, etc.): 21%.
  • Communication/awareness: 14
  • Legal aspects (search for evidence, user charter, etc.): 11%.

In itself, this distribution might not be problematic, if CISOs didn't have to deal with a lack of integration of their function within the company's processes, and a lack of suitable, dedicated tools to organize themselves! (teaser: see next article on dashboards and Excel for CISOs...)

Cybersecurity and corporate culture

The cross-functional nature of the CISO's role places him or her in a position of great dependence, both on top management, who allocate the cybersecurity budget, and on the teams, who have a role to play in applying security rules and in reporting information.

Yet many CISOs find it difficult to lead and unite their community, and waste time on tasks with no added value, such as chasing up teams who are slow to fill in a dashboard, or correcting incidents that could have been avoided if they had been asked to do so in advance.

 

Lack of cybersecurity management tools

CISOs aren't the only ones looking to win the race against time. Today, all business functions have the tools they need to take a 360° view of their activity. The sales function, for example, has a CRM (customer relationship management software), while finance has real-time data thanks to an ERP.

The CISO, for his part, has a number of tools at his disposal, from the most common solutions (antivirus and antimalware, antispam, firewall, etc.) to more specific tools (IDS probes, SIEM, Network Access Control) and programming and maintenance consoles.

However, none of these technical aids is related to management, which explains why CISOs still have to spend a lot of time :

  • create your own management tools when you take up your new position
  • their regular updating, with the adjustment of functionalities

In practice, the CISO spends a great deal of time creating and adapting Excel dashboards, not to mention the few days needed each month to aggregate the data for presentation to top management.

 

What are the solutions for giving CISOs back their time?

For CISOs to win the race against time, they must first and foremost optimize and rationalize their actions.

Best practices to adopt

On a day-to-day basis, every CISO can try to keep time-consuming and tedious tasks to a minimum, by industrializing what can be industrialized, and making the most of opportunities to collaborate effectively with all stakeholders.

 

Here are three avenues to explore:

  • Template creation

Which tables are used most often? Which presentation works best with the COMEX? What type of questionnaire do teams respond to most quickly? To avoid "reinventing the wheel" for each presentation or data collection, the easiest thing for the CISO to do is to build up a library of "templates" (Excel spreadsheets, PowerPoint presentations) that will serve as recurring frameworks.

  • Agile methods for team management

Moving projects forward, resolving difficulties encountered by teams, getting back to employees... all this takes time, but it takes even more time when there is no follow-up or dynamic. To animate their community, CISOs can therefore resort to meeting formats that are regular, short and highly structured.

These can take several forms, such as weekly (maximum 1-hour format), or daily (a few minutes format, and usually while standing up). In both cases, the objective remains the same: to review what has been done and what remains to be done, and to remove obstacles to the achievement of objectives.

  • Tools other than those dedicated to cybersecurity

Today, there are many tools available which, while not specifically for CISOs, can be useful. It's up to each CISO to find what suits him best, from among the range of existing collaborative and project management tools. For example, Trello is an interesting solution for keeping track of current actions and projects, by setting up notifications and alerts. Tools such as Slack or Teams can facilitate collaboration with all project stakeholders.

Tenacy helps you reclaim quality time

An flexible, collaborative Saas platform, Tenacy is the leading solution for cybersecurity management. It aims at improving the organization of CISOs, saving them precious time in many areas:

  • Dashboard creation: parameterization of indicators specific to safety policy, pre-configured indicators, customized, modular and intuitive construction
  • Data collection: automatic notifications eliminate the need for reminders
  • Monitoring compliance and action plans
  • Safety program follow-up
  • Carrying out assessments

By eliminating time-consuming tasks and offering a 360° view of cybersecurity, Tenacy frees up every CISO's time to concentrate on the strategic aspects of their mission.