Cybersecurity leaders and their teams can't seem to catch a break. Every day, they're faced with new vulnerabilities to patch, breaches to avoid and ransomware attacks to prevent -- all with little or no help from their colleagues.
"It hasn't let up. It's still hockey with no bench and full agendas with 55- to 60-hour weeks," said Todd Barnum, CISO at GoPro and author of The Cybersecurity Manager's Guide: The Art of Building Your Security Program.
In the book, Barnum discusses the challenges of advocating for and integrating security into an organization's business priorities. He suggests that few people understand a cybersecurity leader's role and responsibilities -- and even fewer recognize the amount of time and resources needed to fully protect an organization's assets.
A successful security leader, he says, must educate teams across the company on the importance of cybersecurity, while simultaneously handling the eight domains of infosec: security and risk management; asset security; security engineering and architecture; communications and network security; identity and access management; security assessment and testing; security operations; and software development security.
In this excerpt from Chapter 1 of Barnum's book, look at an hour-by-hour breakdown of a typical security leader's workday.
Since no one understands your job, no one can appreciate what it takes to get your job done. Some may claim to, but in reality they don't -- and you know they don't. I've worked with bosses who've told me they used to run InfoSec functions at other companies, but after talking with them for a couple of minutes, it's clear they don't know the job either. One of the rocket scientists I had the pleasure of working for (or with) didn't know the difference between logging and scanning. Ouch.
Nobody knows the diversity of services you provide across the company or appreciates the breadth of technologies you must master. For each department and team in the company, you provide a different service. For the legal department, you provide computer forensic support (among many other activities). To other departments, you write company policy, support compliance efforts, and provide business-to-business (B2B) risk-assessment services, web app pentesting, red team exercises, incident response services, tabletop exercises for simulated incidents, awareness training for general staff, and on and on. There isn't one person beyond your team who understands the diversity of tasks that make up your job description, or the demands this places on you and your team. After all, we hire "high-speed" technical people, and none of them want anything to do with running phishing tests; it isn't sexy work engineers want to do.
Check out a Q&A with author Todd Barnum. He discusses cybersecurity leadership challenges, offers advice on how to make security a businesswide priority and explains why cybersecurity is so misunderstood within an organization.
A Day in the Life of an InfoSec Manager
I attend a lot of meetings in the course of my day. I rarely have any free time in my calendar. However, I look at my peers in the company and observe the luxury they have of sitting in their offices for hours upon hours. I can see their calendars that reflect so much free time. I dream of a day like that, or even an afternoon with some quiet time. This is not the security leader's lot in life. We're not that fortunate. Here's a typical day at work. I think you can relate:
Meet with one of the software engineering teams to discuss customer data flows throughout the cloud commerce systems.
Meet with a system administrator team to discuss the need to audit the organization's domain controllers and other authenticating systems.
Meet with the HR team to discuss the InfoSec team's involvement in the offboarding process: the use of data loss prevention (DLP) tools, disabling access to departing staff members, preserving data for those on litigation hold, deciding which systems will be placed on legal hold, indicating how departing staff members can retrieve their personal files (which you never supported) from their computers after they're gone, wiping systems to ensure no loss of data, deciding when systems can be placed back into service after legal hold, determining how and when to terminate access for departing staff members. Of course, all these processes change for every country of the world!
11 a.m.-12 p.m.
Meet with the product team to discuss the requirements for Internet of Things (IoT) security in the next version of the company's product. The product team really doesn't want to meet with you, nor to include security requirements in the next design -- no surprises!
Risk assessment of third-party vendors. Here's a fun topic. Who's going to evaluate all our third-party vendors for information technology (IT) security risks? (This should have been done when we entered into a contract with the third party, but we didn't do it then. Now leadership is asking about our risk exposure. You get the idea.)
Update the code-of-conduct document with the legal department. (Sigh.)
Present the results of the latest security audit to company leadership, done under the watchful eye of the corporate audit department, and utilizing an external firm. 3-4 p.m. Review your board-of-directors slide deck with your boss.
Meet with the network services team to review hardening standards as well as the results of the most recent network scans.
You finally make it back to your office, tired from a day of meetings, only to be greeted by the more than a hundred emails you got that day from staff members who need something from you...
If you're an InfoSec leader, I'm sure your calendar looks similar. And it looks like this every day of the week. I've never had a quiet period in my entire career. The demands are always there, and they never let up. As the company grows in awareness of InfoSec, it requires more services from you. There is no rest for us. I've often equated InfoSec to hockey: it's fast and full contact, and you don't ever get off the ice. You better be ready and know what you're doing. If not, you'll get bodychecked and lose your job.
Deloitte once had a chart that I love. It decomposed the 8 domains of InfoSec into 176 areas. The chart could barely fit on a standard office wall. When you looked through the chart, it didn't take long to realize that the job of a security leader spans way beyond anything provided by anyone else in the company, and the sad part of that equation is that no one has a grasp on the job's breadth. If they did, they might care more. (Nah, who am I kidding!)
About the author
Todd Barnum is CISO for GoPro Inc. Barnum started with GoPro in 2015 and is responsible for the company's cybersecurity efforts, which secure and protect information important to GoPro and personal to its customers. Before GoPro, he held CISO positions at Warner Bros. Entertainment and Amgen Inc. Earlier in his career, Barnum served as a naval officer and held a variety of technology and cybersecurity leadership positions. He holds a master's degree in information technology from the Naval Postgraduate School and his bachelor's from the University of Hawaii.