The role of the CISO has become increasingly challenging in recent years, with cyber leaders grappling with surging cyber-attacks, the cyber skills shortage and budgetary restraints.
During Infosecurity Europe 2023, Erhan Temurkan, Director of Security and Technology at Fleet Mortgages, spoke to Infosecurity Magazine about how CISOs can manage their teams effectively in this environment.
Temurkan first emphasized the importance of utilizing tools and technologies to improve the efficiency of teams. This doesn’t necessarily mean spending lots of money on fancy new tools. “Look at what’s out there and utilizing what you currently have today in a smarter way,” he commented.
In particular, Temurkan believes AI and machine learning can be used to enhance cyber jobs rather than replace them. If done correctly, this can make work more “fun” for employees, by reducing the more mundane tasks," he added.
He also noted that these technologies can reduce the burden on workers, which is an increasingly important consideration with mental health and burnout prevalent in the sector.
With that in mind, CISOs must be conscious of the pressure on workers, and find ways to alleviate this burden, such as rotating shift patterns.
“Have that rotation where your SOC analysts who might be doing shift patterns come off that for a while and focus on something else,” he advised.
Retention Strategies
In a highly competitive jobs market, it is becoming increasingly challenge to retain cyber professionals, particularly for small and medium-sized companies that struggle to compete financially with the bigger firms.
As a result, Temurkan has found that workers in this area are far more demanding of their employers, with considerations going far beyond money into areas like training and development, work-life balance and even the organizations ethics and values.
“I am actually having to sell the opportunity as well,” he commented. “If you don’t do that, there’s another company who will come along and make a better offer than you.”
Training should be personalized as much as possible, with leaders listening to their team “and take feedback on the areas they find interesting,” he said.
Temurkan explained that his team have time set aside for training every week, even if it is in bitesized formats such as checking threat intelligence feeds. “You have to make time,” he noted.
Leaders should not fall into the trap of fearing that investing in their team’s development will lead to staff using those skills for other jobs. Temurkan noted that if you don’t train staff and they stay, that is worse for the organization given the need to keep up with ever-evolving threats and technologies.
“My mantra to my team is that if they leave and go onto something better, I feel like I’ve done a good job,” he outlined.
Communicating the Value of Security
Temurkan stated that CISOs must understand how to communicate cybersecurity to the rest of the business, and also impart that wisdom on the rest of their team. This is particularly important for building a business case for investment in new cybersecurity tools.
Therefore, he asks for his team to present new ideas to him without technical slides, and instead as a ‘SWOT’ analysis. That same framework can then be used to make the business case to the board.
“It’s not just me that has to know this language – my team has to do it too, we all have to live and breathe the same thing,” Temurkan explained.
Learning to communicate cybersecurity in a way the rest of the business can understand should be part of a security leader’s approach to ensuring cybersecurity isn’t seen as a blocker, but an enabler to progress.
“We never say no, but we want to be seen as in the know,” he outlined. “We work with the business, understand its needs – I really want to stay away from that old style of thinking where we’re seen as the blocker.”
This approach also provides greater value and purpose for the security team, ensuring they are fulfilled in their roles, added Temurkan.