Cybersecurity is a constant fire drill—that’s not just bad, it’s dangerous

As part of my job as an industry analyst, I do lots of quantitative research with security professionals.  One question we often pose to security professionals is around their biggest challenges.  The research results often include issues like coping with alert storms, addressing the dangerous threat landscape, managing a multitude of point tools, scaling manual processes, and staffing shortages, along with one other challenge that comes up on nearly every survey, often with the highest percentage of responses:  Security professionals report that they are challenged because the cybersecurity team at their organization spends most of its time addressing high-priority/emergency issues and not enough time on strategy and process improvement.

This response comes up so often that I admit becoming somewhat numb to it, but when reviewing some ESG research this week, this data point hit me like a ton of bricks as I contemplated the implications.  If security teams spend an inordinate amount of their time in fire drill mode, my instincts tell me that they are:

• Like Elliot Alderson, the protagonist in the show Mr. Robot, security professionals want to save the world—from cyber-adversaries and the devastation they cause.  In pursuing this goal, their days are often chaotic, taken up with emergency response actions.  Security professionals deserve our gratitude and respect for this alone. 
• Cutting corners. Despite this valor, putting out fires has a significant downside—you react, do what you can, and move on to the next hot spot; sometimes without thinking things through.  Faced with constant emergencies, it’s safe to assume that security operations teams are making compromises and cutting corners—especially if there’s another emergency to deal with around the bend.  This type of incident response also tends to be anchored by individuals and tribal knowledge rather than tried-and-true processes.  Ironically, cutting corners can add complexity, uncertainty, and time to emergency situations. 
• Burnt out. Pity the poor security operations team.  They are usually understaffed, overworked, and faced with a constant stream of high-priority emergencies.  This is an unhealthy work environment that will stress out even the most stoic security pros.  Little wonder then why research from ESG and the information systems security association (ISSA) indicates that 71% of security professionals agree that there is an unhealthy level of stress associated with their jobs. This inevitably leads to mental health problems, a toxic workplace, and staff attrition—a surefire recipe for ineffective and inefficient cybersecurity operations. 
• Poorly prepared for future attacks. Responding to constant emergencies takes time away from other necessities like training, testing, and process improvement.  The absence of these things forces security teams to rely on what they know, but since cyber-attacks are constantly evolving, even the best knowledge and skills will become stale and ineffective over time.  Soon, the security team will be performing their jobs in the cybersecurity equivalent of bringing a knife to a gun fight. 

5 practices to reduce security firedrills

CISOs would be well advised to assess whether their security teams are challenged by a constant state of emergency response.  If so, this situation must be addressed with great urgency. Here are five things that CISOs can do that will have an impact: 

• improve security hygiene and posture management,
• segment networks to reduce the attack surface,
• capture the actions taken by experienced security professionals and turn them into formal automated security processes,
• operationalize the MITRE ATT&CK framework to guide activities like security engineering, testing, and alert triage, and
• augment overworked staff with help from security service providers.

Yes, I realize these are obvious options, but security professionals keep telling ESG that dealing with emergencies is one of their biggest security challenges year after year.  I can only conclude then that organizations aren’t making the right decisions or aren’t even trying.

As the famous quote attributed to Albert Einstein states, ‘the definition of insanity is doing the same thing over and over again and expecting different results.’  If we subject security teams to a life of constant firefighting when there remain changes to be made that will help, we deserve to be hacked.