A Chief Information Officer (CIO) is responsible for the design, implementation and management of our IT systems, and plays an invaluable role in keeping those systems secure. What’s more, there is serious shortage of IT security professionals, and so the last thing we want to do is lose a valuable member of staff or discourage people from pursuing a career as a CIO. However, the life of a CIO is a notoriously stressful. It is therefore important that we understand why and examine the different ways that we can ease the burden that we place on them.
Firstly, CIOs spend much of their time (and budget) maintaining outdated legacy systems, which leaves little time for them to innovate and keep up with the trends – something which they must do in order to stay ahead of the constantly evolving threat landscape. They also have less control over their budget than what they used to have.
CIOs are usually taken for granted. Employees and executives are not typically aware of what the CIO does, and why. Nor do they understand their own role in protecting the systems and data they interact with. Yet, despite being under-appreciated, when something goes wrong, they will be the ones who will come under fire.
As new technologies emerge at a rapid pace, customers, executives and employees are demanding increasingly more from IT. Yet they fail to understand the time and effort involved in learning those technologies, and then implementing them in a secure manner. This can lead to an increase in “shadow IT” – where employees use unauthorized applications and devices. This creates even more security risks, which in turn creates more stress for the CIO.
It is often assumed that IT professionals know everything about cyber-security, which is impossible given the vast and dynamic nature of the industry. Not only that but most data breaches are caused by the stakeholders themselves, who can be highly unpredictable. Under these conditions, it’s really not surprising why so many CIOs are struggling to keep their head above the water. The question remains, what advice can we give CIOs to improve the situation?
Know your network architecture
An obvious starting point would be to ensure that you know your network architecture inside and out. Do you know how many data centres you have? Do you know where they are located? Do you know where your critical applications are installed? It is a good idea to use tools to help you discover and monitor your infrastructure to help you keep track of the availability, health status and performance of the various devices connected your network. Assuming you have the budget and resources to do so, it might be worth replacing your outdated legacy system with a hyper-converged platform. Hyper-converged infrastructure (HCI) is one that combines storage, computing and networking into a single virtualized system, with the goal of reducing the complexity and increasing the scalability of your infrastructure. An HCI will also include a number of useful utilities, such as data de-duplication, compression, snapshots, WAN optimization, and more.
Use a Next-Generation Firewall (NGFW)
It is crucial that CIOs have clear visibility into all network traffic and are able to differentiate between traffic that is suspicious, and traffic that is not. An NGFW enhances the traditional firewall by including additional filtering mechanisms, such as deep packet inspection (DPI) and intrusion prevention system (IPS). They also provide the CIO with visibility and control over which applications are being used, and who is using them. An NGFW will automatically block Command & Control activity, unknown applications, and unauthorized data exfiltration.
Use policies to determine correct access controls
Make sure that you have spent a sufficient amount of time developing policies that define how users can interact with your data, systems and services. It is a good idea to use a data discovery and classification tool to ensure that you know exactly what data you have, and where it is located. Ensuring that you have the appropriate access controls in place is crucial to keeping your critical assets secure.
Connect with other CIOs
Instead of feeling isolated, it is a good idea to do some networking and meet with other CIOs. By speaking with other CIOs, you can share your knowledge and experiences, and get some feedback and advice about how they reduce, or deal with, the amount of stress they are under. They might even help you find better job opportunities.
Communicate regularly with colleagues
As mentioned previously, most of your colleges have little-to-no idea about the challenges you face on daily basis. Of course, that doesn’t mean you should go around boasting or complaining about your workload, but it would be a good idea to speak to your colleges regularly to keep them informed about the work you have been doing, and how it is progressing. Letting them know about any changes that might affect their work will also make them more tolerant to potential disruption.
Prioritize your activities
This might seem like an obvious point to make, but it’s always worth revising your daily tasks to ensure that you are prioritizing effectively. We have a tendency to prioritize based on the jobs we like to do and push the uninteresting or tedious jobs to the back of the queue. However, the problem with this approach is that things start to pile up, which makes us even more stressed. Be careful of falling into the trap of trying to do everything at the same time, as you may end up doing even less. Only give people your immediate attention if it is absolutely necessary. Of course, we all know this is easier said than done.
Take regular breaks
If you do not create a schedule for taking breaks, you will burn yourself out, which is not what we (or you) want. And when you do take a break, try to resist the temptation of checking your emails. Likewise, remember to take a vacation. Again, if you are inundated with critical tasks, going on a holiday may seem counter intuitive, or simply impractical. However, providing you book your holiday well in advance, you will have the time to make the necessary arrangements. At the end of the day, your organization needs you to be energized and focused, and if you are always stressed and fatigued, you might overlook something important, which could result in security incident of sort some. And please remember, it’s just a job!