Problem solve Get help with specific problems with your technologies, process and projects.

Strategies for doing more with less

Strategies for making the most out of limited resources.

"You must do more with less."

This is the mantra security managers have grown accustomed to hearing, but may not have grown accustomed to practicing. How are you to maintain the level of security and productivity to which your organization has grown accustomed, when your resources are limited and demands for network protection (can you say worms, Sarbanes-Oxley, SPAM, HIPAA, etc.) are increasing? Though we appear to be emerging from the economic doldrums, you may still find yourself in a situation where you simply don't have the staff you need. Here are some strategies you might consider to turn potentially difficult situations into wins for everyone.

Interview your staff

Depending on how long you've worked with your staff, you may need to visit with them individually to identify talents that have been hidden. Some of your folks may have had specific job duties that prevented them from demonstrating areas where they could bring more value to the table. Identify and catalogue these newly discovered resources for use as project requirements demand. Have your more senior staff members mentor the junior members. Draw on and try to distribute the experience and expertise you have at your disposal.


There will always be more projects than resources, so prioritizing is a must. Most of your projects will fall into one of two categories: those projects you can prioritize and those projects that are prioritized for you. For those you control, employ elements of basic time management to your project list. Assign them as primary, secondary or tertiary priorities to be addressed according to criticality and dictates of time. Solicit the input of your staff when prioritizing your projects. Management by committee is not the goal here, but you will often find that they have insight that could reduce project time or eliminate project overhead. For the projects that are prioritized for you, apply sound judgment and some common sense, and then rank them within your system according to the sensitivity warranted.


Know the business side

IT security practitioners and IT professionals in general, while technically competent, are frequently found lacking in business understanding. You don't need to be an MBA to have a sound understanding of financials and budget cycles. Make it a point to understand the financial impact that IT security requirements may have on the bottom line, and learn to be able to speak intelligently and competently about fiscal issue that affect you, or through your actions, affect others. Find the person that is most familiar with IT budgets and seek out his knowledge and expertise. Learn how that information fits into the larger corporate picture so you'll better understand how your IT dollars affect others.

Know your business

Find out what goes on in your company outside the confines of the NOC and the data centers. Yes, a firewall in a credit union is configured using the same tools as a firewall in a school administration building. However, knowing the specifics of your company's business may allow you to focus on solutions that are industry specific. Such rifle-shot solutions could be more efficient and economical than shotgun solutions trying to be all things to all people. Scan trade publications that are specific to your company's industry as well as the technical journals you follow. Attend professional meetings pertaining to your company's industry to see what solutions are in place elsewhere.

By learning what issues your company faces at large you will start to gain a broader perspective that will benefit you when it comes time to protect what is important to your company. Now share that information with your staff. Let the new found knowledge benefit everyone. The last thing you can afford to do with limited resources is to hide information that could be beneficial.

Make and keep allies

Too many security professionals begin and end discussions with "No." At the end of the day, we are paid to be cautious, but that doesn't mean we need to be obstructionists. If you can employ the suggestions discussed above you can better identify the business needs, and then intelligently weigh those needs against potential security risks. By enlisting the aid and input of the business managers you are ultimately trying to help you can usually find solutions that mitigate the risk, meet the business needs and don't break the bank. Include members of your staff in meetings they might not otherwise have attended. Not only will they be exposed to information that was previously filtered when it got to them, they will likely feel an increased sense of trust and involvement – always a good thing.

When the other managers find out that you are sincere in meeting their needs, you will find them more anxious to help you secure your IT environment. As you become more known for value-add solutions in a world in which you are lacking resources, your value to the company should increase – which might just increase your chances of adding folks to your staff.

About the author
Mike Lamkin, CISSP, is the IT security manager of a Fortune 200 company based in Houston, Texas. Mike has been an IT security practitioner for the last seven years and has been in the IT industry for more than 27 years. Mike has spoken at seminars and conferences, conducted training and authored several articles on networking, security and related issues.

This was last published in June 2004

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.