Cyber Response Fatigue Management: Overlooked and Undervalued

Are Cyber Professionals Too Exhausted to Monitor for Attacks?

With the growing visibility around cyber breaches, there is now a heightened sensitivity among corporate boards and executive teams as they become more engaged in the management of cyber risk, and its ability to impact their business and personal indemnity.

To counteract this growing awareness, the security industry itself has exploded with new products and vendors. With the cybersecurity market anticipated to be worth over $200 billion by 2022 there is an abundance of information aimed to influence business investment decisions. However, through all the webinars, workshops and whitepapers, a foundational expectation has bubbled to the surface and taken hold, and that is a company’s ability to identify and respond to a cyber event.

Whether that ability is supported by a series of technologies or driven by regulatory mandates, the public’s tolerance around cyber events is shrinking. With the increasing rate of breaches that impact consumers’ lives, corporate distrust is greater than ever.

Corporations not wanting to land themselves in a similar context are now committing money, focus and expectations onto existing IT groups or niche cyber response teams to try and manage this risk. However, the increased pressure for managing this type of risk is quickly outpacing available cybersecurity staff and skills, and executive expectations and technology risk management processes are starting to deviate. According to the ISSA and ESG’s recent research:

63% of organizations are seeing increasing workloads on already existing staff,
41% of cybersecurity teams are spending time on high priority issues and incident response with minimal time spent on planning, training or strategy,
38% of cyber staff are citing “burn out,” and
24% of cyber teams do not have the ability to investigate or prioritize security alerts in a timely manner.

Cyber events are rarely linear and seldom stay within the confines of a normal 9-to-5 day. Along with the growing complexity of technology, expectations around personnel delivery capabilities are growing. Professionals are now expected to be able to perform more advanced techniques such as forensics, application and cloud security, while keeping apprised of the most recent threats. This is leading to increased stress and fatigue as these demands are outpacing the training and support programs offered by corporations.

Further contributing to fatigue within incident response teams, and often taken for granted, is process management. In response to an evolving threat landscape, more agile and less process-oriented teams are organically rising to try and respond to business requirements, but over time these teams find themselves more in a whack-a-mole security function than a refined operations team. A lack of process means that incidents of a commoditized nature (e.g. botnets) take longer to identify and remediate as teams try and orient themselves into action. If these types of incidents happen frequently, they begin to take their toll on responders.

However, it’s not all doom and gloom. Processes, when mapped out and documented, can help response teams better orient and direct their efforts when in the heat of the moment and when balancing other accountabilities. Security leaders should consider leveraging frameworks such as Lockheed Martin’s Cyber Kill Chain or NIST to develop repeatable processes and practice sets for commodity risks, and complement those with technologies that provide the best ROI to their teams. For organizations cutting their teeth in cyber, this practice cannot be overstated.

Organizations with more mature practices should be spending time on preparation drills. Leaders should ensure teams are refining and mastering their documented response activities and ensuring that commodity responses are as repeatable as possible. The mastery of these basic skills not only will increase a team’s general capabilities, but will afford them time to focus effort on things that may be of a more advanced nature.

At its core, cyber response involves responding to a corporation’s more intimate issues and risks, and that is a relationship built on trust. Executives and Boards are expecting their leaders to not only deliver on their expectations, but also to appropriately communicate where exposures exist. Patching and vulnerabilities are core data points, but the general health of the frontline team also needs to be understood and at times executive expectations recalibrated. Fatigue and burn out can lead to impaired concentration and attention and should not be overlooked. For cyber response teams this can be a dangerous proposition, and it paves the way for a corporation to be the next cautionary tale.

Neil Karan is the Director of Cyber Security Strategy and Operations for an Alberta based utility in Canada. He has 15 years of cybersecurity and technology risk management expertise developed in both consulting and private sector, and has a personal passion for cyber strategy and open source intelligence analysis.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.