When we look at the schedules of the CISOs we consult with, we’re almost always faced with an impossibly large list of tasks (all of which are urgent!). CISOs are typically inundated with tasks and a lot of their time is spent translating things to the rest of the business. It’s a critical communications role within a business, so efficiency is key.
We spoke with Vladi Sandler, CEO at Lightspin, and he gave his thoughts on how CISOs can improve efficiency:
“So it really depends on the organization. Is it a one-man show or does the CISO have a team working beneath him/her? When a CISO has a team, it’s much easier. It becomes a matter of delegation. You can simply split out your tasks between security engineers. This not only takes a load off the CISO, but it’s also a fantastic opportunity for the security engineer to get involved in tasks that are vital to the business.
By offloading tasks, CISOs can scale up certain things, like working with more vendors or doing more in-depth evaluations where before they wouldn’t have had the time.
Another added benefit of delegation is that you can demonstrate to the rest of the board how mature your organization is from a security perspective. You can show to management that your security engineers are working to reduce risk and improve security.
If the CISO is a one-man team then the job is a lot more difficult. In this situation, it’s vital to get engagement from other departments and key stakeholders in decisions. For example, if a CISO is doing an evaluation with a vendor, it’s key to get the other members of the organization that will benefit from that vendor on the call as early as possible (from DevOps to the CEO if needed). This will help push decisions and evaluations along and also allow for delegation of certain aspects of the evaluation.
CISOs also need to make more use of the open-source to help automate processes and workflows that are taking up their time. This can also help CISOs to identify which tasks are their sole responsibility and which tasks require input from other members of the organization. Let’s say, for example, that the CISO conducts a risk assessment and identifies numerous problems with the password strategy of the organization (accounts set to never expire, account lockouts, password mismanagement, etc.), the CISO then has to identify which jobs can be fixed themselves and which jobs require organization-wide training.”
At Lepide, this explanation resonated with us, as we speak to both CISOs that are one-man teams and CISOs with huge teams. Regardless of the size of the team the CISO has, many of the challenges remain the same. CISOs struggle with daily task lists that are all urgent. They also struggle to communicate the importance of various technologies and practices to the rest of the organization. Getting the average non-technical employee to adopt and understand security policies is tough. Here’s what Vladi had to say on the topic:
“This is always a problem. There’s starvation of security experts out there and also within our organizations. I think security conferences and hackathons could be more widely attended by employees outside of the security team, to help them get a better understanding of the threats out there.
CISOs can really benefit from building communities with other CISOs as well. Learn from others how to communicate to the business and manage workloads.
At Lepide, we use our Data Security Platform to help CISOs reduce the time it takes to assess risks, generate compliance reports, and more. If you’d like to see how the Lepide Data Security Platform can help you get more visibility over the security of your data, schedule a demo today.
Watch the full interview with Vladi here: