A CISO, a VP of Engineering, and a Threat Hunter Walk Into a BBQ …

Security is tough. It’s a big job that’s always getting bigger. More challenging. More in-the-spotlight and subject to increasingly intense scrutiny.  

But is it just the nature of the job, a sign of the cybersecurity times, or is something else going on? We all know there’s a legit security skills shortage, and everyone is asked to do more with less — is that the crux of the issue? Is anything else causing security team burnout and keeping them up at night?  

I got a little insight into this question at an unlikely place recently — while sipping a beer at an afternoon BBQ this summer. The host was a CISO, and the guests included “practitioners” from enterprises or security consulting boutiques, and engineering leaders from the “vendor” side, like me. We’d all worked together in past companies, and inevitably ended up talking shop. I walked away from that BBQ with a newfound appreciation for New England IPAs, and some enlightening cybersecurity insights. Amidst the talk of struggles, challenges, and pains, four common themes emerged: 

Incident response

Yes, it’s important. Yes, it’s a key part of the job. But spending all day reacting doesn’t leave any room for planning, preventing, or strategizing. One human error can destroy even the best laid plans … and anything that triggers an incident response, even a false alarm, means hours of forensics, communication, analysis, mitigation, and remediation. When a legitimate security incident happens, the response can take weeks or longer. And when that happens, it basically blows up all other planned work. 

Compliance and compliance management 

Everyone is selling to someone, so managing compliance posture will always be part of the job. But it’s a time consuming, tedious task, and on top of that, subject to external review. It takes a lot of time and cycles; yet compliance doesn’t necessarily result in the detection of and protection against new threat vectors. 

Too many tools

I’ve heard security complain that the proliferation of tools makes their job harder to master. Security vendors these days move “at the speed of DevOps” too, so staying adept/expert in any one toolchain is a big job. By the second NE IPA, it was clear that tool mastery is a moving target, and one that sometimes gets in the way of the primary job of security — keeping the company’s assets safe. 

High rate of change in the industry

Almost everyone at that BBQ talked about moving from Docker to Docker Swarm, or VMs to Docker, or AWS to GCP, or private data center to Cloud. And that change comes with a massive workload for security. And it is not exactly a one-and-done activity. The rate of technology development is driving architectural decisions and execution that happens at a breakneck pace. Security assessments that used to happen in weeks or months now must be completed in days or even hours, for legit business reasons. 

Any of this sound familiar? Same kind of stuff keeping you up at night? We’re working hard to keep up with these pain points and make sure our WAAP platform eases rather than exacerbates them. Take a look at our demo video and let us know if we’re succeeding. Or get a personalized demo of our solution, and let’s talk. We see you, security teams. Hang in there … 

Tags

About the Author

Tom Hickman

Tom has a long track record of building and scaling product delivery capabilities at mid- and growth-stage startups. He served as the VP of Engineering at Edgewise Networks, where he led engineering through early releases of Edgewise’s zero-trust micro-segmentation product. While at Veracode, a leader in AppSec, Hickman led engineering through an Agile transformation and helped the company become a true multi-faceted AppSec platform prior to its acquisition by CA Technologies in 2017. Tom holds a B.S. degree in mechanical engineering from the Georgia Institute of Technology.