CISO VS. CHATGPT

Introduction

We didn’t start the fire! No, we didn't light it, but we tried to fight it! No truer words can be said from a CISO, though they came from Billy Joel in 1989 in his song titled as such (thank you, Billy!).??As the lyrics convey, we live in a complex world, and it's a chaotic place.?Our CISOs are not?responsible?for the cyber problems that exist, but they darn sure carry the burden of the stress and pressures of?defending?against all the cyber problems that exist.??

?

Enter ChatGPT.??

?

A vast endless universe of knowledge, available to anyone who types a simple request.??What kind of new world will the CISO face given this new entity…will it be a new fellow in the fight against evil or the evil itself???

?

I also wonder…one day, will corporate profits and lack of understanding cyber drive boards and executives to rely on the word of GPT instead the wisdom of the CISO? ?But I digress, and that discussion is for a different article.

?

In the meantime, let us explore the topic of “advice.”?CISO:?A single person in a company responsible for knowing?everything?there is to know about all the global cyber threats AND being accountable for them ….?Yeah, that is?just a?bit?too high of an expectation.?Unfortunately, it is their reality.?So, what specifically causes the most stress to a CISO and how to they manage that pressure while maintaining a happy and healthy life balance.?

?

What do our CISO’s suggest and what does AI suggest?

?

How do CISOs deal with the stress and pressures in their cybersecurity roles?

?

I asked this question to a group of CISOs, then I asked ChatGPT the same questions.?Here we go.

?

CISO Response to Stressors?

Literally, all the CISOs I spoke to replied with these specific stressors, and are summed up best by Fawaz Rasheed, former CISO of global Financial, Healthcare, and Manufacturing firms:

?

1. The sheer nature of the CISO role is a high-stakes, high-stress-laden position.?Having ultimate responsibility for securing all the underlying elements of the people, the data, and the organization carries stress out of the gates.?
2. Not having enough financial and human capital for the security organization is an ongoing stressor.?Throwing more money or bodies at the problem doesn’t, by itself, solve the problem, but it does help in standing up a better defensive posture.?
3. The imminent nature of attacks and the likelihood of a breach (despite investing in controls) also contribute to stress.?Having absolute certainty around the defensibility of data in all states and at all times is unrealistic.?Making the best informed and prioritized decisions to protect the organization is the approach CISOs take, but the residual risk posture still carries stress.
4. Executive sponsorship and unwavering support for cybersecurity. Maturing the cyber program starts from the very top of the organization. If leadership and boards expect CISOs to prevent cyber intrusions and minimize risk, but provide limited budget, limited headcount, and layer on personal liability, then this will be a heavy weight to carry and can set-up an untenable situation for the CISO and the firm itself.

CISO Response to Stress Management

Managing stress had an assortment of brilliant advice!?They include great ideas for personal time and ways to reduce stress during work hours.

?

Mike Dent, CISO of Fairfax County, Virginia:

• Working out is a great way to take a break from the stresses of work.?Exercise helps increase endorphins and promotes relaxation.?Running, swimming, or doing yoga helps improve mental well-being as well.
• Spending weekends with family and loved ones at our favorite getaway cleanses away the week.?It is a truly calming and relaxing experience.?The soothing sounds of nature and the peacefulness of the outdoors can quell any anxieties or worries.?Spending time outdoors is rejuvenating and a perfect getaway from the hustle and bustle of being a CISO.
• I love spending my free time woodworking and metalworking.?From carving intricate designs into wooden trinkets for gifts to welding pipes for sculpture, this provides me with endless possibilities to decompress from the day’s stresses.?I find it incredibly satisfying to relax and create something tangible and unique that I can be proud of after investing a lot of effort.?There is something so rewarding about being able to come home and work on a project that has the potential to be amazing!

?

Mike, and other CISOs including Fawaz Rasheed (aforementioned), Benjamin Corll, former CISO of Coats, Chris Day, former CISO and Chief Cybersecurity Officer, and Amit Yoran, Chairman and CEO of Tenable and national cybersecurity expert, also added:

• Talk to industry peers.?You can share crucial information and resources and gain insight into different perspectives and approaches by talking with peers.?It is also essential for CISOs to stay connected with the industry so they can stay on top of the latest developments, security trends, and emerging technologies.?This can help you stay informed and in tune with the changing landscape.
• Try to have at most only 2/3rds of your time scheduled.?This allows you time to deal with the unknown-unknowns, catch-up on email, and/or to simply take a breather.?
• Acknowledge and accept mistakes, and don’t beat up yourself or your team.?Mistakes are a normal part of the process and should be treated as learning opportunities.?Then you can take action to prevent similar mistakes from happening in the future.?This makes for a better overall relationship with your team, and yourself.
• Scheduling personal activities to look forward to is impactful as well.?Whether it’s a weekend getaway or an upcoming vacation, this offers the motivation to get through the stress and look forward to some light at the end of the tunnel.
• Walking the dog (or dogs) is a great way to relieve stress and helps to shift your focus away from the cause of the stress and onto the dog itself.?It also encourages you to get outside and get some fresh air.?(Side note, petting and playing with your cat = same)
• Listening to Podcasts (while walking your dogs) can help relieve stress in several ways.?First, they can provide a distraction from the stressful situations you deal with and take your mind off things.?It is also a great way to learn more about topics and provide a source of comfort, reassurance, and inspiration.

?

ChatGPT Response to Stressors

Direct Copy/Paste responses.

Stressors (ChatGPT)

1.????Handling security operations while staying ahead of emerging threats.

2.????Implementing Information Security Policies and verifying compliance with regulations.?

3.????Establishing a security risk management system and ensuring it is up to date.?

4.????Developing a budget and allocating resources to meet security goals.

5.????Managing security operations while coordinating with IT and other business areas.

6.????Having to defend the organization against cyber-attacks and data breaches.

7.????Keeping up with ever-changing regulations and compliance requirements.?

8.????Measuring the effectiveness of security operations and responding quickly to changes.?

9.????Communicating security best practices and awareness measures to non-technical staff.

10.?Maintaining a rapid response to potential threats or issues.

?

ChatGPT Response to Stress Management

1. Prioritize tasks: It can be challenging to manage all the tasks that come along with being a CISO.?Prioritizing tasks can help focus energy and ensure that the most critical tasks are tackled first.
2. Create a support network: Building a network of peers can be incredibly helpful for managing stress.?They can provide a different perspective and act as sounding boards for ideas.
3. Take time for yourself: For CISOs, work can easily consume every hour of the day.?Take some time away from work to focus on yourself.?Exercising or spending some time outdoors can provide mental clarity to help combat stress.
4. Adopt healthy coping strategies: Stress can lead to unhealthy coping mechanisms.?Utilize technology to combat this, such as meditation apps or fitness apps.
5. Seek out professional help: Stress can be difficult to manage, and, in some cases, professional help can be beneficial.

Conclusion

More and more relevant to CISOs, ChatGPT is doing a persuasive job of sounding like a super-intelligent human CISO. In fact, some of the answers were similar, which makes sense as the AI is pulling from previous documented responses from CISOs. However, to me the stressors sounded like a job description – I hope that doesn’t mean AI interpruts everything about the job as a stressor.

As for the de-stressors, ChatGPT provided some usable inputs. The CISOs interviewed did as well, but with more color and context. Maybe it's just a matter of time or specific words used in the query before ChatGPT’s responses evolve as well.

While the future of AI remains uncertain, one thing isn't. We aren't replacing CISOs with AI. While the bad guys are going to continue using AI, CISOs and their teams are going to need to become very well acquainted with how to use AI - and its power - to fight cybercrime.

?

Next on CISO vs. ChatGPT?

Using AI to Attack and Defend

#CISO #CYBERSECURITY #AI