Security can often feel overwhelming for an information security practitioner.
Protecting the corporate network can be like protecting a fortress where enemies from all over the world circle in massive numbers. The lone security practitioner anxiously repairs holes in the firewalls after each probing attack that tests their strength. The uninformed occupants of the fortress go about their business without noticing the attacks and offering no reinforcements. Each enemy has plenty of time to probe the defenses of the fortress for that one key vulnerability that will let it inside. The exhausted defender has to protect and mitigate each attack from every enemy while still attending the department's weekly staff meeting.
The simple fact is that information security professionals are outnumbered and the odds are against them.
The simple fact is that information security professionals are outnumbered and the odds are against them. The profitability of criminal hacking is on the rise with little risk to the perpetrators. Even if there's a budget to hire new information security staff, talent is hard to find. An attacker only has to be right once while the security pro has to be right every single time or the system can be compromised. This situation can lead to career burnout, as the beleaguered security pro ends up working too many hours defending corporate assets.
Fortunately, there are techniques a security team can use to keep up with information security tasks until additional resources are available. It is critical that information security pros take the time to recognize how to best organize their tactics, which fall into three categories: prioritize, optimize and automate.
The first technique is the prioritization of both tasks and security risks so that the most important are being addressed. This cannot be done without the involvement of business representatives, so an information security governance committee is needed. It is not just an information-security risk decision, but a business risk decision. The priority listing should be kept to a summary level with just enough detail to describe the risk when it's presented to the committee -- a listing of the top 10 risks should be sufficient.
The governance committee will provide feedback and may reprioritize the listing of tasks. Not only does this process work for the prioritization of risks, but the committee also learns how many risks are not completely mitigated due to the lack of resources. This can help drive support for increased resources for information security in subsequent budget years.
Information security pros can have a hard time letting go of some tasks, but outsourcing can be used to free up time for more important work. Good managed security products and services are available to supplement the security team and can do repetitive, routine tasks such as monitoring logs or patching compliance. In addition, resources are available to help write security policies and review contractual language to provide security advice.
There has been some debate in the information security community over the adoption of cloud services in security-sensitive corporate environments. Each cloud provider should be properly vetted to verify that it provides the necessary security levels. Cloud service providers may be able to provide security capabilities not available in hosted solutions for the same cost. For less than $10 per user per year, for example, there are auditing systems for Google Apps for Business that can report who used any file and from where. Besides the auditing capabilities, a cloud services provider like Google simply has more resources than any small business has to defend a hosted email system.
There may also be opportunities to recruit help from other departments in the company. For instance, helpdesk technicians are a good source of help for information security departments because they are often looking for career ladders and opportunities to learn new skills. They are also on the front line of user support, so security training could have the additional benefit of helping them identify a security threat earlier than they would have otherwise. Other departments that could provide additional resources for information security work include human resources, accounting, and legal or internal audit.
The final technique for creating a more efficient information security team amid staffing shortages involves automation. There are so many routine tasks in information security that can be automated, including patching, vulnerability scanning and log aggregation. Some routine tasks might require investing time in creating custom scripts to get them fully automated. It might be hard to set aside that time, but it will produce dividends in the future.
Automation could also include implementing systems like security information and event management systems (SIEMs) to aggregate and correlate security events. These systems, when properly tuned and configured, can dramatically increase the efficiency of the information security team while also reducing the overall incident response time. There are SIEM systems available for every budget, including those that are freely available as open source.
Information security departments often are understaffed and feel overwhelmed by the size and complexity of their tasks. The cybercriminal has to exploit only one vulnerability to be successful, while the information security pro must find and mitigate them all. Information security talent is hard to find even if the financial resources are available. Career burnout can be the final result if the information security pro cannot find a proper work-life balance.
The solution is to organize information security tasks to better balance the team and increase workload capacity without additional positions. The three techniques for organizing the work and increasing the efficiency of the team are prioritize, optimize and automate. Use an information security governance committee to prioritize the tasks, investigate which tasks can be outsourced to optimize the tasks, and finally acquire or build new systems to automate remaining tasks. Information security teams that adopt these organizational techniques will not only find that they not only have more time available, but also find they have more job satisfaction and feel less stressed overall.
About the author:
Joseph Granneman is SearchSecurity.com's resident expert on information security management. He has more than 20 years of technology experience, primarily focused on healthcare information technology. He is an active independent author and presenter in the healthcare IT and information security fields. He is frequently consulted by the media and interviewed about various healthcare IT and security topics. He has focused on compliance and information security in cloud environments for the past decade, with many different implementations in the medical and financial services industries.
Learn whether a security team is better with security specialists or generalists.
Get a recruiter's take on why information security positions go unfilled.