It is a common feeling in the cybersecurity community that CISOs do not sleep well at night. CISOs worry about the latest incident, end of life technology in their environment, breaches in the news, insecure users and vendors, penetration testing results, budget and resources, and the latest vulnerability report (to name a few). In fairness, this list could go on for pages since everything from delayed projects to mergers and acquisitions can become a CISO's nightmare. It is no wonder they lose sleep at night because there is plenty to worry about, and if they did not care, or were not passionate about their jobs, they would not lose any sleep after all. Unfortunately, that is not the case.
While it is arguable which C-level executive position is the most stressful, poor CISO performance can be an end-game event for many businesses. And many of the items a CISO is responsible for are dependent on the threat landscape and the security posture of others. Did teams install the software correctly? Is the firewall configured appropriately to block a threat? Did end-user training really teach the fundamentals to avoid a phishing attack? You get the point. Stress is a part of a CISO's job description and if you ever want to become a CISO, you will need to learn how to manage it. If not, you will burn out and lose sleep too. To that end, I have compiled my personal recommendations for any CISO to sleep at night and mitigate the threats that are simply out of your control (but you have strong influence).
1. Enable and trust a strong lieutenant(s)
A CISO can rarely operate and be successful on their own. Security has its best strength in a team approach, and a CISO should have at least one strong lieutenant they can count on when they are not available. This is not about loyalty; this is about good leadership and having team members that you can trust to make difficult decisions with confidence and composure when needed. This is because CISOs cannot be available 24/7, despite what the industry might think. They need to sleep too, right? And trusting staff makes a CISO’s job much more manageable, especially when the team knows you have their back if something goes sideways. A CISO that pushes blame down to team members will never be successful in establishing a trusting security culture. Having high performing direct reports can make all the difference in the world to be successful.
2. Asset and data inventory
The worst surprise for a CISO is having an incident on an unidentified, unmanaged, and undocumented device. The forensics is literally a nightmare because everything is unknown, including the data on the resource and its sensitivity. Therefore, remember cybersecurity 101: inventory everything as best as you can, and do your best to keep it up-to-date. This includes all assets, resources, geolocations, owners, and data. And for the data, ensure you do a data discovery and have a data map to outline the process and storage for all sensitive information. Incidents are going to happen; that's a fact. However, knowing they have happened on established asset inventory helps manage the incident and control the situation. Most importantly, prevent it from happening again on similar resources. If you know what resources are in possession for your entity, you can protect them and sleep at night.
3. Keep your eggs distributed
While it is a well-established business practice to consolidate vendors, it is not a good security best practice to rely on one technology to mitigate the threats from an attack vector. For example, would you use antivirus alone as an endpoint security solution? The answer is definitely not. You need a variety of tools to manage endpoint security threats, ranging from anti-virus, endpoint privilege management, application control, endpoint detection and response, etc. And, if you can combine many of these use cases into a single vendor solution, then you have an effective mitigation strategy with potentially overlapping layers for protection. Therefore, for any risk mitigation, do not put all your eggs in one basket, and rely on layering technologies to manage risk. Also, remember a CISO doesn't only protect an organization through technology; the importance of training end-users on cybersecurity awareness is still your best line of defense. It is also another example of distributing your eggs for maximum coverage.
4. Manage, monitor, and report
No matter what plans you put in place, if you cannot manage, monitor, and report on the effectiveness or ineffectiveness of your strategy, you are doomed—plain and simple. The inability to gain visibility into an organization's security posture is what nightmares are made of. A CISO's mind wonders and runs at night with "what if" scenarios to cover all potential attack vectors. If there is no visibility, there is no refinement in plans. And if plans are not adequate and adapting, then an incident will occur. The best sleep a CISO can have is when they have the best visibility into everything they manage to ensure nothing slips through the cracks and becomes a hack.
5. Plan and test, test and plan
With everything else in motion, it is time to exercise your work. Muscles that sit still for too long break down and lose their strength. Sleep is meant to regenerate the mind and body. During the day, we have planned for an incident, and now we should test our response. For a CISO, this means testing standard operating procedures, practicing crisis management plans, and revising and optimizing plans to be efficient when a security event occurs. After all, an incident will occur. If we have trained hard, practiced thoroughly, and documented our game plan, we should be able to sleep. We have prepared. After all, in cybersecurity, game day is every day and every day is a different game.
While these five recommendations may seem elementary to some, I have found them to be the most effective way to not lose sleep at night. I know what I can know, I trust in my teams, I have layers of defense. I have visibility into what I can see, and I have planned and tested for all reasonable scenarios. It is like a final exam in college. You have studied hard, worked with peers in study groups, reviewed all the applicable material, and practiced sample questions. The only difference is the teacher may include material not seen before, just as a threat actor may employ a new attack vector. If you are truly prepared, you can mitigate the threat, just like working through a test problem you have never seen before. After all, that is a sign of intelligence, and if you manage the tasks of being a CISO intelligently, you will be able to sleep at night. Being reactionary as a CISO is what causes stress. Planning and trusting will help you realize you prepared well for your position.