Dulieu has implemented a new approach in his security team that has proven to be beneficial in several ways. This approach focuses on spreading out expertise and creating a better balance of work for everyone on the team. It has also resulted in upskilling more workers and providing them with more recognition, including spot bonuses. As a result, retention efforts have been boosted, leading to a more tenured and efficient team.
One of the specific areas where Dulieu has found success is in vendor research. He acknowledges that researching, selecting, and implementing new security tech can be time-consuming and take away from the security services that CISOs and their teams are actually hired to do. To mitigate this, Dulieu has developed a strong working relationship with a value-added reseller (VAR) who can take on the task of researching and assessing vendors. This partnership allows Dulieu and his team to save approximately 120 hours of work and speeds up the entire process by six weeks for each new implementation.
Responding to requests for information has become a major responsibility for today’s CISOs and their teams, as security is now a board-level concern and subject to increased regulations. However, spending excessive amounts of time on providing answers to security questionnaires is not the most effective use of worker time. To address this issue, experts suggest implementing automation to handle evidence of control operations and effectiveness. Additionally, having information readily available, such as a SOC 2 report, can help proactively address security inquiries.
Mandatory security training is another area where CISOs and their teams often end up wasting time. Despite being security professionals, they are still required to attend annual security training sessions. One CISO, Jamil Farshchi, implemented a test-out process to eliminate the need for mandatory training. Workers are given a test that covers various security practices, and if they achieve a high enough score, they can opt out of the training. Farshchi also uses scorecards to identify individuals who require additional or targeted training based on their security behaviors. This approach has saved thousands of hours for security workers and the company as a whole.
Risk assessments and security evaluations involving too many people can also eat up valuable time within security teams. Farshchi discovered that his company’s approval process for technology projects involved multiple individuals or teams evaluating and assessing the plans, but provided little value. He eliminated unnecessary links in the approval chain and automated security controls. He also implemented a “fast pass” program for development teams that consistently adhere to security requirements, reducing the need for extensive security evaluations. These changes have freed up time for security teams without increasing new risks.
Managing communication demands is another task that can consume a disproportionate amount of time and energy for CISOs and their teams. Experts suggest being selective about the reports produced and only focusing on essential ones that provide value. Identifying and utilizing individuals who are strong communicators and skilled at developing presentations can also improve efficiency in communication tasks.
Finally, reviewing suspicious emails can be a time-consuming process for security teams. Bryan S. Willett, a CISO at Lexmark, implemented a more efficient way to review suspect emails. By studying legitimate emails that had been tagged as suspicious, Willett was able to identify keywords that indicated their legitimacy. He then created an automated tool that reviewed questionable messages and advised the recipient whether an email was legitimate or a phishing attempt.
Overall, these strategies and approaches have proven successful in saving time for CISOs and their teams, allowing them to focus on their core responsibilities and provide better security services.