Managing Resource Scarcity in Enterprise Information Security - Part 1
Seeking better value is the new norm. Make due with less. While these concepts are certainly not new, they don’t mesh very well with the general trend in security. As an industry, security gets heavier and heavier.
We add new security tools by seldom get rid of the old ones. So, it’s no surprise that when our companies require us to reduce our budgets we don’t really know how to do it. In the face of these tightening budgets we need to adapt and survive. This leaves us with three options:
- Heroic efforts. When things get tight, we tighten our belts and work through it. 40 hour work weeks turn into 50 or 60, and stress levels climb higher and higher.
- Lower quality work. To make up for the lesser resources, we continue doing just as much stuff, but we don’t do as good a job of it. We hit all our deadlines (or maybe just miss them by a bit), but do it with “just good enough” work.
- Do less stuff. Number three demands hard choices. We have to evaluate what we’re doing and prioritize them based on which best support the business, and which are the dreaded “the way we’ve always done it.”
Most companies I’ve worked with have gone through multiple phases. Generally management doesn’t want to be the squeaky wheel, and they opt for Heroic efforts. The perception is that everyone else is chipping in, so why should your department be any different? Ideally, this option would never be considered in a security department. It leads to staff burn-out, and high turnover. In the real world, there may be times when heroic efforts are required. But a manager must recognize that those times need to be short-term with a specific end-date. Anything else is unsustainable for the personnel, and ultimately detrimental to the department and the organization’s overall risk level.
Heroic efforts are unsustainable and ultimately increase organizational risk
Lower quality work is often where heroic efforts ultimately lead. Whether by tacit agreement between management (have you ever heard a manager excuse poor or late work with, “You know how strapped we all for resources”?), or simply because of hero fatigue, the quality of the work gets lower. This phase is the most dangerous in an information security department. Low quality security work means holes are left in your defenses. Combine a hole in the perimeter with a hole in the detection mechanism, and you’ve got a risk of catastrophic loss.
The third option is to do less stuff. This can be a very hard choice. Not only does it require admitting that we can’t do everything we used to do, it also requires a temporary increase in work as we figure out which tasks can be off-loaded, and then as a plan is created and implemented to eliminate those tasks from the environment.
While all three choices have associated challenges, only the third option provides a viable long-term solution. “Doing less” may require a re-architecture of the organization’s defense in depth strategy, and may require some creative thinking. But by failing to proactively choose to do less we are implicitly choosing to require heroic efforts (and the associated burnout and unsustainability) or the dangerous vulnerabilities that go hand in hand with low quality work.
By confronting this choice head-on, and weighing the relative effects of each choice, it becomes obvious that there really is only one choice. Not only are options 1 and 2 unhealthy and dangerous, option 3 can actually improve the security posture of the organization. Going through the process not only helps reduce the word-load in the long-run, it improves self-awareness, and simplifies the DoD stack.
In my next post I will dive further into exactly how we can do less while still providing a valuable service to the business.
Cross-posted from Enterprise InfoSec Blog from Robb Reck.