It's a classic attacker move: Use security protections against those who deploy them. But organizations can still defuse and prevent these encrypted attacks.

Once upon a time, encrypted traffic was considered the safe, secure option for browsing and doing business online. However, going back to December 2013, the Google Transparency Report shows just 48% of Web traffic was encrypted. Flash forward to today, and the volume of encrypted Web traffic is up to 95%. However, the threat landscape has changed a lot since 2013, and now we find the majority of cyberthreats lurking within encrypted channels.

Hidden in your encrypted Internet traffic layers are malware payloads, phishing scams, sensitive data leaks, and more. To understand this better, the State of Encrypted Attacks 2022 Report analyzed 24 billion threats from October 2021 to September 2022 to reveal details on threats embedded in HTTPS traffic, including SSL and TLS. The report shows a consistent upward trend of attacks using encrypted channels — from 57% in 2020 to 80% in 2021 — ultimately finding that more than 85% of attacks were encrypted in 2022. There were other major findings as well.

**Most Encrypted Threats Involve Malware**

While cybercriminals hide a variety of attack tactics in encrypted traffic, malware remains the most prevalent. Malicious scripts and payloads used throughout the attack sequence make up nearly 90% of the encrypted attack tactics blocked in 2022.

    

Fig. 1. Distribution of 2022 encrypted attacks. Source: Zscaler ThreatLabz

Malware continues to pose the greatest threat to individuals and businesses across nine key industries, with manufacturing, education, and healthcare the most common targets. This category includes ransomware, which remains a top concern for CISOs, as ransomware attacks have increased by 80% year over year.

The most prevalent malware families the ThreatLabz team observed abusing encrypted channels include ChromeLoader, Gamaredon, AdLoad, SolarMarker, and Manuscrypt.

**US, India Are Top Targets for Encrypted Attacks**

The five countries most targeted by encrypted attacks in 2022 were the US, India, South Africa, the UK, and Australia. In addition, several countries saw significant upticks in targets year over year, including Japan (+613%), the US (+155%), and India (+87%).

**Encrypted Attacks Increased in Manufacturing, Education**

More than doubling in encrypted attacks (239%), manufacturing displaced technology as the most targeted industry in 2022. Encrypted attacks against the education industry were also up significantly (134%). Attackers particularly favored manufacturing over other sectors as a target for ad spyware. It is also one of two industries most often phished via encrypted channels — the other being healthcare.

    

Fig. 2. Top vertical industries targeted by encrypted attacks in 2022. Source: Zscaler ThreatLabz

Today, most attacks leverage SSL or TLS encryption, which is resource-intensive to inspect at scale and best done with a cloud-native proxy architecture. While legacy firewalls support packet filtering and stateful inspection, their resource limitations make them poorly suited for this task. This creates a critical need for organizations to implement cloud-native architectures that support full inspection of encrypted traffic in alignment with zero-trust principles.

**How to Protect Yourself**

For defenders, the imperative is clear: all encrypted traffic must be thoroughly inspected to detect and stop cyberthreats before they cause damage. While we wait for governments, compliance frameworks, and other vendors to catch up with this reality, it will be up to defenders and leaders to raise the flag and champion initiatives to mitigate this common threat tactic. Zero-trust strategies and architectures — in which you trust nobody and inspect and authenticate everything — are the most effective way to protect your organization from encrypted attacks and other advanced threats.

Attacks start with reconnaissance and an initial compromise of an endpoint or asset exposed to the Internet. Once inside, attackers perform lateral propagation, including reconnaissance and establishing a network foothold. Finally, attackers act to achieve their objectives, which often involve data exfiltration.

Your defenses should include controls for each of those stages. Minimize the attack surface by making internal apps invisible to the Internet, and prevent compromise by using cloud-native proxy architecture to inspect _all_ traffic inline and at scale, enforcing consistent security policies. Organizations should also stop lateral movement by connecting users directly to applications (rather than the network) to reduce the attack surface, and contain threats using deception and workload segmentation. They can also stop data loss by inspecting all Internet-bound traffic, including encrypted channels, to prevent data theft.

If you are looking to minimize the risk of encrypted attacks for your organization, consider these recommendations as part of your adoption strategy:

*   Use a cloud-native, proxy-based architecture to decrypt, detect, and prevent threats in all encrypted traffic at scale.
*   Leverage an AI-driven sandbox to quarantine unknown attacks and stop patient-zero malware.
*   Inspect all traffic, all the time, whether a user is at home, at headquarters, or on the go, to ensure everyone is consistently protected against encrypted threats.
*   Terminate every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real-time — before it reaches its destination — to prevent ransomware, malware, and more.
*   Protect data using granular context-based policies, verifying access requests and rights based on context.
*   Eliminate the attack surface by connecting users directly to the apps and resources they need, never to networks.

Read more Partner Perspectives from Zscaler.

Encrypted Traffic, Once Thought Safe, Now Responsible For Most Cyberthreats

Developers don't have to build authentication and user management from scratch, and can devote their energies to the core functions of the application, instead.

Descope emerged from stealth on Wednesday with a frictionless, secure, and developer-friendly authentication and user management service.

There is always a point in application development when a decision has to be made, to either build user authentication in-house or use someone else's. It's not a one-time decision, either, since user authentication is more than just setting up a username and password. There has to be a process for password resets, a way to add layers of authentication, a mechanism to securely store credentials, and controls to detect and prevent fraud and bots. All that comes before figuring out user provisioning, tackling access control, or even incorporating single sign-on.

"Authentication is never finished for any application," wrote Slavik Markovich, co-founder and CEO of Descope.

Descope's core premise is based on a simple fact: developers should not be spending time and resources on authentication and user management if that is not the core part of the service they are building. With Descope's authentication user management platform, developers can create authentication flows, add passwordless authentication methods to their applications, manage access privileges and identities, and implement security controls to prevent account takeovers and other types of fraud – and they don't need to be security experts to have these capabilities.

“Authentication is too important to be done incorrectly, but it’s also too complicated and time-consuming to be done in-house by engineering teams,” Guru Chahal, a partner at Lightspeed Venture Partners, said in a statement.

Identity-based attacks are on the rise, which has renewed interest in passwordless technologies. The Verizon Data Breach Investigations Report found that 80% of basic web application attacks can be attributed to stolen credentials. Google and Apple have rolled out passkeys to phase out passwords and open standards like FIDO2 and WebAuthn make it easier for users to rely on their devices as an authentication factor. Descope's passwordless technology stack means organizations can make that shift to deliver a passwordless experience to users.

"Our vision is to “de-scope” authentication from every app developer’s daily work, so they can focus on business-critical initiatives without worrying about building, maintaining, or updating authentication,” Markovich said.

The platform supports different types of developers, including those who prefer no-code/low-code tools, rely on software development kits (SDKs), or prefer working with APIs. Developers can use the Descope platform without charge for up to 7,500 monthly active users for business-to-consumer (b2c) applications and up to 50 tenants for business-to-business (b2b) applications.

Descope has raised $53 million in seed funding, the company said. The founding team has worked together for years, at security orchestration, automation, and response startup Demisto, which was acquired by Palo Alto Networks in 2019, and database security company Sentrigo, which was acquired by McAfee in 2011.

Descope Handles Authentication So Developers Don't Have To

The startup's software helps organizations secure their containers in the cloud by teasing out which packages are running and which are vulnerable.

Oligo Security launched out of stealth on Wednesday with its runtime application security platform for detecting vulnerabilities in open source components. Oligo generates a dynamic bill of materials (BOM), identifies vulnerabilities in packages, and sets fix priorities for vulnerabilities based on application context.

Some of the most damaging cyberattacks in the past couple of years originated in open source packages included within large, complex systems. For example, Log4Shell attacks continued throughout most of 2022 because many organizations didn't even realize they were running a vulnerable version of Log4j. Oligo generates a dynamic BOM that shows all the components that are actually running, which helps establish which vulnerabilities to fix first.

Oligo profiles the legitimate behavior of each library and creates a knowledge base of libraries’ profiles. The platform fires alerts when the library activity deviates from the profile, as that would indicate suspicious activity.

"Only 15% of CVEs scanned with traditional solutions are posing a real risk, and the other 85% are irrelevant, resulting in lots of false positives and noise," Avshalom Hilu, co-founder and chief product officer of Oligo, wrote in a technical blog post. Reducing false positives and targeting mitigation more tightly can help security staff close the most dangerous flaws first and reduce alert fatigue.

The company bases its product on extended Berkeley Packet Filter (eBPF), which allows programs to run in a sandbox within the Linux operating system kernel. This means developers can extend the OS to improve visibility, networking, security, and other capabilities to make using containers in the cloud more secure.

With the dominance of cloud computing and expanding use of containerization tools like Kubernetes, eBPF is seeing traction. The overall container security market is expected to rise from $714 million in 2020 to $3.6 billion by 2026, and up to $8.2 billion by 2030. Besides Oligo, other eBPF startups in the cybersecurity space include Araali Networks, which offers an eBPF-based firewall; Cilium, an open source Kubernetes connectivity tool; Falco and Aqua, which make Kubernetes runtime security tools; and Calico, a cloud-native security company.

Oligo raised its $28 million funding from Lightspeed Venture Partners, Ballistic Ventures, and TLV Partners, along with several angel investors.

Oligo Security Takes Aim at Open Source Vulnerabilities

Incident response triage and software vulnerability discovery are two areas where the large language model has demonstrated success, although false positives are common.

A number of experiments suggest that ChatGPT, the popular large language model (LLM), could be useful to help defenders triage potential security incidents and find security vulnerabilities in code, even though the artificial intelligence (AI) model was not specifically trained for such activities, according to results released this week.

In a Feb. 15 analysis of ChatGPT's utility as an incident response tool, Victor Sergeev, incident response team lead at Kaspersky, found that ChatGPT could identify malicious processes running on compromised systems. Sergeev infected a system with the Meterpreter and PowerShell Empire agents, took common steps in the role of an adversary, and then ran a ChatGPT-powered scanner against the system.

The LLM identified two malicious processes running on the system, and correctly ignored 137 benign processes, potentially reducing overhead to a significant degree, he wrote in a blog post describing the experiment.

"ChatGPT successfully identified suspicious service installations, without false positives," Sergeev wrote. "For the second service, it provided a conclusion about why the service should be classified as an indicator of compromise."

Security researchers and AI hackers have all taken an interest in ChatGPT, probing the LLM for weaknesses, while other researchers, as well as cybercriminals, have attempted to lure the LLM to the dark side, setting it to produce better phishing emails messages or generate malware.

    

ChatGPT found indicators of compromise with some false positives. Source: Kaspersky

Yet security researchers are also looking at how the generalized language model performs on specific defense-related tasks. In December, digital forensics firm Cado Security used ChatGPT to create a timeline of a compromise using JSON data from an incident, which produced a good — but not totally accurate — report. Security consultancy NCC Group experimented with ChatGPT as a way to find vulnerabilities in code, which it did, but not always accurately.

The conclusion is that security analysts, developers, and reverse engineers need to take care whenever using LLMs, especially for tasks outside the scope of their capabilities, says Chris Anley, chief scientist at security consultancy NCC Group.

"I definitely think that professional developers, and other folks who work with code should explore ChatGPT and similar models, but more for inspiration than for absolutely correct, factual results," he says, adding that "security code review isn't something we should be using ChatGPT for, so it's kind of unfair to expect it to be perfect first time out."

**Analyzing IoCs With AI**

The Kaspersky experiment started with asking ChatGPT about several hackers' tools, such as Mimikatz and Fast Reverse Proxy. The AI model successfully described those tools, but when requested to identify well-known hashes and domains, it failed. The LLM could not identify a well-known hash of the WannaCry malware, for example.

The relative success of identifying malicious code on the host, however, led Kasperky's Sergeev to ask ChatGPT to create a PowerShell script to collect metadata and indicators of compromise from a system and submit them to the LLM. After improving the code manually, Sergeev used the script on the infected test system.

Overall, the Kaspersky analyst used ChatGPT to analyze the metadata for more than 3,500 events on the test system, finding 74 potential indicators of compromise, 17 of which were false positives. The experiment suggests that ChatGPT could be useful for collecting forensics information for companies that are not running an endpoint detection and response (EDR) system, detecting code obfuscation, or reverse engineering code binaries.

Sergeev also warned that inaccuracies are a very real problem. "Beware of false positives and false negatives that this can produce," he wrote. "At the end of the day, this is just another statistical neural network prone to producing unexpected results."

In its analysis, Cado Security warned that ChatGPT typically does not qualify the confidence of its results. "This is a common concern with ChatGPT that OpenAI \[has\] raised themselves — it can hallucinate, and when it does hallucinate, it does so with confidence," Cado's analysis stated.

**Fair Use and Privacy Rules Need Clarifying**

The experiments also raise some critical issues regarding the data submitted to OpenAI's ChatGPT system. Already, companies have started taking exception to the creation of datasets using information on the Internet, with companies such as Clearview AI and Stability AI facing lawsuits seeking to curtail their use of their machine learning models.

Privacy is another issue. Security professionals have to determine whether submitted indicators of compromise expose sensitive data, or if submitting software code for analysis violates a company's intellectual property, says NCC Group's Anley.

"Whether it's a good idea to submit code to ChatGPT depends a lot on the circumstances," he says. "A lot of code is proprietary and is under various legal protections, so I wouldn't recommend that people submit code to third parties unless they have permission to do so."

Sergeev issued a similar warning: Using ChatGPT to detect compromise sends sensitive data to the system by necessity, which could be a violation of company policy and may present a business risk.

"By using these scripts, you send data, including sensitive data, to OpenAI," he stated, "so be careful and consult the system owner beforehand."

ChatGPT Subs In as Security Analyst, Hallucinates Only Occasionally

Factoring user experience and convenience into how employees and tenants access buildings is top concern for security professionals says benchmark industry survey.

**BETHESDA, Md., February 15, 2023** **–** Brivo, a leading provider of cloud-based access control and smart building technologies, today publishes the 2023 Top Security Trends Report which identifies user experience and convenience as rapidly emerging drivers behind the adoption of new physical security solutions.

Brivo's sixth annual trends report is based on responses from 677 security professionals across the world working in over two dozen sectors. They pointed to growing expectations for frictionless access into workplaces, as more Millennial and Gen Z cohorts enter the workplace, and a general rise in convenience as a major consideration in physical security. 

Key findings that speak to this trend include:

*   84% of security professionals think user experience is either extremely important or very important to access control.
*   65% pointed to user convenience as a benefit of mobile access control, speaking to the growing popularity of mobile devices as an access credential over a traditional plastic FOB.
*   Tenant and workplace experience apps are growing in popularity, ranking as the fifth most popular security system integration this year – according to the respondents. These apps give more control to employees over their office space via mobile-derived services.
*   Security professionals listed remote door management, instantaneous credential management and outsourcing oversight responsibilities as applications for cloud-based security that make their lives easier – highlighting the appreciation that security professionals have for convenience in their own work.

Responses elsewhere in the report show that data collection and system integrations are business imperatives today. Security professionals continue to integrate security systems with cross-functional areas but more are using access data to understand access trends and space usage (45%), find and prioritize unusual activity (42%), and give value to other departments like supply chain, process, and HR (42%). 

This year’s report also reveals that today’s security professionals are bullish on the potential of biometric access solutions. Sixty percent want to add biometrics to their buildings in the next three years and, again, 60% predict that facial recognition will have the biggest impact in access control technology over the next three years.

"The key takeaway from our 2023 Trends Report is that user experience and convenience are vital considerations for security professionals today, and this trend shows no sign of slowing as more cohorts of Generation Z enter the workplace with expectations for technology-enabled frictionless access,” said Steve Van Till, founder and CEO of Brivo. “Cloud-based access control collects the most valuable data for security professionals to make better informed business decisions. The integration of access control with other security and proptech platforms will be essential in meeting stakeholder expectations on convenience and delivering the next generation of access solutions."

Other interesting findings from Brivo’s report include:

*   Respondents reported a surge in access control integrations. Integrations of identity and access management solutions are most common as more organizations pursue streamlined operations by connecting physical and digital security systems for added protection.
*   A lack of budget (39%) was most commonly cited as the reason for not adopting cloud-based access control solutions.
*   More organizations are looking to centralize their security – with 38% saying their organizations are partly centralized today, up from 31% in 2022’s report.

Brivo’s systems generate a wealth of data for organizations to leverage. For a broader view of industry data, articles, blog posts and other content, go to www.brivo.com. For the full 2023 Top Security Trends Report, please visit this link to learn more.

**About Brivo** 

Brivo, Inc., created the cloud-based access control and smart spaces technology category over 20 years ago and remains a global leader serving commercial real estate, multifamily residential, and large distributed enterprises. The company’s comprehensive product ecosystem and open API provide businesses with powerful digital tools to increase security automation, elevate employee and tenant experience, and improve the safety of all people and assets in the built environment. Brivo’s building access platform is now the digital foundation for the largest collection of customer facilities in the world, occupying over 450 million square feet across 60 countries. Learn more at www.Brivo.com.

Brivo Reveals Top Security Trends for 2023: Convenience Is King in Securing the Hybrid Workplaces of the Future

Retail & Hospitality ISAC invites industry leaders, experts, and innovators to submit proposals for presentations and panel discussions.

**Vienna, VA (February 15, 2023)** **–** The Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) is now accepting speaker submissions for the 2023 RH-ISAC Cyber Intelligence Summit. The event, which is the premier conference for retail and hospitality cybersecurity professionals, will bring together experts from across the industry to discuss the latest threats and solutions in the field.

The conference will focus on the challenges facing the retail and hospitality industries in the face of an ever-increasing number of cyber threats, and it will provide a platform for attendees to learn from the best and brightest in the field.

RH-ISAC invites industry leaders, experts, and innovators to submit proposals for presentations and panel discussions that cover topics such as threat intelligence, incident response, risk management, and security operations. The goal of the RH-ISAC Summit is to provide attendees with actionable insights, practical solutions, and meaningful connections that can help them better protect their organizations and customers from cyber threats.

“We’re thrilled to once again bring together the brightest minds in retail and hospitality cybersecurity for our annual summit,” said RH-ISAC President Suzie Squier. “The call for speakers is a critical component of the event, and we’re excited to hear from experts who can share their knowledge and experiences with our community.”

The RH-ISAC Cyber Intelligence Summit will take place October 2–4 in Dallas, Texas. To submit a speaker proposal, visit https://rhisac.org/events/call-for-presentations/. The deadline for submissions is May 5.

For more information about the RH-ISAC Cyber Intelligence Summit, visit https://summit.rhisac.org/.

**ABOUT RH-ISAC**

The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is the sector’s operational community for sector-specific cybersecurity information and intelligence sharing and collaboration. As such, the RH-ISAC not only connects and serves its members,italso seeks to partner collaboratively with all trade associations in the sector to support security development and maturity with the goal of building better security for the retail, hospitality, and travel industries through partnership and collaboration. For more information, visit www.rhisac.org.

Call for Speakers Now Open for the RH-ISAC Cyber Intelligence Summit

US federal watchdog agency outlines key measures for better protecting sensitive data under the federal government's control.

The most recent in a series of US Government Accountability Office (GAO) reports on the state of cybersecurity across the federal government makes specific recommendations about the collection, use, and sharing of personally identifiable information (PII).

In a Feb. 14 report, the GAO recommended improving the protection of private data, particularly information collected in retirement plans.

Besides the cybersecurity of stored data, the report calls on agencies to establish data privacy policies and procedures that include record-keeping that identifies the types of personal data collected, regular privacy impact reviews, and the coordination of these data privacy functions across the agency.

The latest GAO cybersecurity assessment points out, as it has in previous reports, that agencies have been slow to adopt its recommendations.

"We have made 236 recommendations in public reports since 2010 with respect to protecting cyber critical infrastructure," the GAO added in its report. "Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

GAO Calls for Improved Data Privacy Protections

2022 saw a record number of cyberattacks. In response, regulators are prescribing how companies should manage their risks. How do you prepare?

In 2022, we saw a large number of cyberattacks and breaches that affected both companies and countries, driven primarily by accelerating innovation by threat actors and continued diversification of the threat actor economy. While many technical responses have been proposed, the policy responses pose a more challenging issue, as companies will need to comply with public policy decisions despite challenging macroeconomic conditions and a persistent lack of skilled professionals to work on cybersecurity.

In short, 2023 will be the year of risk.

**1\. Anticipate org chart changes and more collaboration with the C-suite.**

Pending regulatory changes require that the CISO be independent, and this independence will likely require organizational chart changes, as CISOs have historically reported to the CIO, CTO, or another senior executive with a background in technology.

This frequently creates an implicit conflict of interest when budgets and staffing considerations arise, as the incentives of the CIO or other senior executives do not necessarily align with the goals of the CISO. In 2023, CISOs should prepare to be adequately independent and have good visibility into the management of cyber-risk. Being independent includes the responsibility of setting staffing and budgets for approval by a committee, rather than providing a cybersecurity budget line item as part of another senior executive's larger budget for the year.

**2\. Be ready to answer more risk-related questions from the board …**

Boards want to have more oversight of cyber-risk. In 2023, organizations should plan on inviting their CISO to a board meeting (and to be somewhat forgiving of that first meeting with those CISOs who come from a technical background). While not all board members need to understand cybersecurity, all CISOs (or CIOs, or whoever presents to the board) need to be able to speak to the board in the language of risk to effectively communicate status, learn about larger initiatives, and ask for assistance or perspective when needed. Although this will be a new requirement for publicly traded companies, privately held companies should strongly consider adopting this new change to reporting.

**3\. … and as a result, be more diligent about communicating risk.**

Companies should track the risk of noncompliance and be able to describe their risk management plans associated with noncompliance. Depending on the specific regulatory body, civil and criminal penalties are potential outcomes, as well as congressional hearings or reputational damages.

Companies that have DFARS requirements — particularly those with CMMC level 2 control requirements — hold the dual risks of noncompliance leading to denial of future Department of Defense contracts as well as the potential of whistleblowers under the False Claims Act. As a result, CISOs will need to be consistent and persistent about communicating the status of their risk and compliance posture.

**4\. CISOs will need to invest in internal assessments as more security breaches hit the news.**

Cybersecurity breaches were a hot topic in 2022, with several high-profile cases making national headlines. For example, the Federal Trade Commission (FTC) sought action against online alcohol marketplace Drizly — and its CEO, Cory Rellas — for cybersecurity failures affecting over 2.5 million consumers. Notably, the FTC specifically named and sanctioned Rellas — a new move for the governing body. This change in posture may indicate a larger shift toward enforcement at the FTC, particularly for organizations that don’t have adequate controls around the protection and disposition of consumer data.

One lesson carries across these stories: the importance of effective internal assessments, as they are critical tools to find weaknesses in your security program and assuring that those weaknesses are fixed. We predict a sharp increase in investigations with adversarial discovery in 2023 as companies watch these major news stories play out in real-time.

**5\. SMBs should consider increasing security control monitoring to avoid cyberattacks.**

Smaller companies are more vulnerable to cyberattacks, but why? Simply put, they don’t have the budget or resources to combat ransomware attacks, which is why they are a high priority for threat actors.

More controls in place means more processes for maintaining those controls, which results in more manual processes that IT security professionals must handle. For example, SMBs will need to map out the GDPR compliance legalese to controls for breach notifications, or quickly finding CIS Control Group 3 to help with data disposal.

IT, security, and risk management professionals will need to better collect and organize their evidence in preparation for applications and renewals of their cyber insurance policies. They might also consider a tool that enables them to link risks to controls to decide how much coverage they actually need.

**About the Author**

    

Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.

2023 Is the Year of Risk: 5 Ways to Prepare

Information security is a high-stakes field with sky-high expectations. Here's how CISOs can offset the pressures and stay healthy.

John has built a stellar reputation as a problem solver and cyber defender. Yet, today, John, the chief information security officer of a major manufacturing company, is frantically trying to find out why the CEO had been unable to retrieve or send any emails for the past four hours. The CEO is extremely irate, and as John takes in the barrage of anger, John begins to feel fear sinking into his chest. Would this incident tarnish his hard-earned reputation? Will he lose his job?

John prides himself on having answers and receiving praise for fixing problems, so he is taking this situation to heart. He started his IT security career as an analyst. He was incredibly talented at spotting gaps in security posture and determining creative ways to close those gaps. John's intelligence and innovation helped him quickly climb the ranks to CISO. However, each level of promotion brought with it increasing challenges and demands.

As an analyst, John's responsibility was confined to himself and his specific role. The CISO role has widened John's scope of responsibility immensely. He now has to manage a team of people with varying personalities; budget and request funds for projects; communicate and build relationships with other business leaders within his company; negotiate and buy products and services from vendors; and meet a number of other responsibilities. John also has to find time to be a husband, to be a father, and to take care of his own physical and mental health.

It doesn't help that John's leadership expects the IT security department to protect 100% against malicious threats targeting their company. John and his team are expected to perform perfectly. It's an unrealistic and unreasonable expectation, which leads to high stress and burnout. Unfortunately, many are in this position.

**What Leaders Should Do**

Had there been someone coaching John, he would have been taught about effective leadership traits that would help him have less emotional fallout in this scenario. There are three core tactics John could use to keep from questioning his own efficacy or suffering burnout.

**1\. See mistakes as a learning opportunity.** Mistakes happen. They are a part of life. Those who thrive see mistakes as learning opportunities and ways to get better. Accept any mistake as what it is: an outcome you did not want. Investigate what led to that outcome, determine what alternative choices were available, and understand what better option exists moving forward.

**2\. Control the controllables.** There are not a lot of things in our control. For example, we have no control over how others respond (like a yelling CEO), if a salesperson gives us all the information we need to make an educated purchase, if employees leave the company, if it's going to rain, or a litany of other things. Focusing on things outside of our control will lead to increased fear and manifesting more of what we do not want.

However, we do have the ability to focus on what we have control over. We have control over how we respond to situations; we have control over our energy, effort, and attitude; and we have control over how we choose to model for others. Focusing on what we control will not guarantee things work out. However, it will allow us to have more sanity and certainty we are doing the right things at the right time, which will increase our chances of success.

**3\. Remain calm.** When threats to our safety (real or perceived) occur, we instinctively go into survival mode — fight, flight, or freeze. In times of fear and panic, our cortex disconnects from the cerebellum, known in psychology as a "flipped lid." We lose our ability to critically think and problem-solve. Our breathing also becomes faster and shorter. You can get back to calm through your breath.

Box breathing is a simple and effective technique for recovering a mental space in which you can problem-solve. It employs four equal parts, just like the sides of a box. You inhale for 5 seconds, hold at the top of that breath for 5 seconds, exhale for 5 seconds, and hold at the bottom of that exhale for 5 seconds. Repeat this process for a minimum of 5 rounds or more.

**Reduce Stress to Reduce Turnover**

Stress is on the rise within the IT security space, which leads to problems like burnout and employee turnover. The 2022 Global Chief Information Security Officer (CISO) Survey from management consulting firm Heidrick & Struggles shows some concerning statistics. The survey showed stress (60%) and burnout (53%) were the top responses as being the most significant personal risks to CISOs in the United States.

People are leaving CISO roles for other operational positions, pursuing consulting opportunities, or not entering the CISO roles altogether. This exacerbates two big issues in the industry: not enough talent to fill seats and employee retention.

"They're \[CISOs\] choosing to punch out," Matt Aiello, partner and leader of the cyber practice at Heidrick & Struggles, told CNBC recently. "What we're hearing in off-line conversations is that it's a great role, but it's very hard and the regulatory pressures are increasing, and that makes being a CISO even more challenging."

Awareness and prioritization of mental health support and performance coaching is growing in this industry. In 2018, for example, the Black Hat conferences introduced a community track focused on mental health and other nontechnical topics that's continued to this day.

Being an IT security leader is hard. There are so many challenges to being effective in the role — unrealistic expectations of protecting your organization 100%, not getting the funding you need to purchase resources, difficulties finding and retaining good talent, etc. Ineffective leadership skills make this job harder. You and your team can thrive if you learn how to lead effectively and avoid burnout.

3 Ways CISOs Can Lead Effectively and Avoid Burnout

Here are some of the easily avoidable mistakes most companies made last year, gleaned from hundreds of cybersecurity engagements by red and blue teams.

After analyzing and buttoning up hundreds of cybersecurity incidents in 2022, a group of purple team consultants compared notes to share five of the most common mistakes they've observed organizations make.

A purple team is a group of offensive cybersecurity professionals (red team) working in tandem with defending teams (blue team) to improve operations and mitigate threats.

Lares security assessment firm has published its purple-team findings that found companies keep making the same five errors: bad event logging, a lack of offensive security knowledge, maintaining a codependent relationship with the security operations center (SOC), too great a reliance on tools, and excessive outsourcing. Organizations need to pay attention to critical log events so that they don't overlook signs of malicious activity, to not expect detection and response tools to find all bad actors, and invest in their employees to learn and grow their security skills.

"To properly defend their organizations, security professionals need to be aware of the latest threats and how to respond," Andrew Hay, chief operating officer of Lares, said about the new report. "Security teams also need to be mindful of the potential issues that can arise from their defensive measures."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading