security fatigue

How to fight security-solution fatigue

Rising cyber threats, an overabundance of vendor solutions and communication roadblocks are contributing to solution fatigue among chief information security officers, a new report finds.

A CISO’s job is to find “the harmony between not impeding business operations while implementing risk informed security strategies that protect the important information assets and accesses of their organization,” according to “CISO Solution Fatigue,” by the Institute for Critical Infrastructure Technology. Often, though, a CISO  functions more as a risk officer, listening to hundreds of company pitches for security tools and solutions every year, the report adds.

This solution overload leads to an average turnover rate of 17 months, despite the fact that the median salary for CISOs is $194,000 to $270,000 and that the job is making gains, with 54 percent of organizations creating the position within their organizational structure.

Here are some ways CISOs can fight solution fatigue, according to ICIT:

Beware of startups’ deals to test tools. Startups may ask CISOs to test their products and provide feedback before tools are released. Although this often means a discount for the agency, it leaves CISOs scrambling to develop or replace the solution when it doesn’t work out.

Shift to long-term thinking. Solutions must meet business needs, not just the security team’s need to plug a gap. CISOs must work with all stakeholders -- security, IT and leadership teams -- to understand the organization’s environment.

Watch out for hypotheticals and silver bullets. Vendors that promise a cure for a hypothetical problem distract CISOs and IT staffers from the risks -- and from the solutions that actually address them.

Understand proposals and the agency’s needs. Business need outweigh the availability of tools. That means CISOs must sometimes decline promising tools if they don’t fit current needs.

Ignore the hype. A rule of thumb, the report states, is to look for solutions instead of products. Find out what products have a proven track record.

Let the tools do the work. Some agencies are still ironing out their policies on emerging technologies -- such as bring-your-own-device policies and the Internet of Things -- which means CISOs get wrapped up in those discussions. Solutions that secure devices and securely monitor or regulate communication to them can ease the burden.

Ensure the integrity of what you already own. Penetration testing can help identify vulnerabilities and detect and remove attackers. CISOs should look for trustworthy vendors with a reliable reputation.

Use continuous monitoring. Tools that deliver regular updates on anomalies and data trends can free up workers to focus on other areas.

Embrace the cloud. Cloud computing can reduce costs, eliminate redundancies and increase security. Cloud solutions should comply with agency requirements and be scalable and readily available.

Let the numbers do the talking.  Risk assessments showing quantitative metrics such as return on investment can help persuade stakeholders that a solution is necessary and feasible.

About the Author

Stephanie Kanowitz is a freelance writer based in northern Virginia.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected