Let’s be positive about security for a minute. Let’s put away all the doom and gloom stories about companies not investing enough in security and just accept that for right now. No, we don’t all have the security budget or staff we want, but that doesn’t mean we are destined for tragedy; most of us have less that we want, but we could be doing more with it.
3 choices for security resource management
Robb Reck of Dark Matters, wrote series of articles on resource management for security professionals and came up with three options for those with a limited resources:
- Be a hero: Work 60 hours per week to make up for the lack of resources.
- Lower the quality of work: Spread your resources thin so you can do more stuff.
- Do less stuff: Prioritize and do higher quality work in fewer places.
While plenty of us have seen people and companies that operate on option one or two, those are both unhealthy and less secure options. Quality over quantity. It is better to do higher quality work in the most important, vulnerable places than to do low quality work everywhere.
How to do less
Doing less security work requires that you eliminate tasks strategically so you are not leaving your company’s data vulnerable.
Step 1: Inventory processes
What is everyone doing each day? Don’t assume. Ask everyone on your team what projects they are working on because you never really know if someone started something new and never told anyone—or stopped doing something and never told anyone.
Step 2: Match your processes to business goals
Are your efforts aligned with business goals or are they going unused? To complete this step, talk to people inside and outside your department. Find out why your department is doing what it is doing and then check to see if that reasoning is still valid. Sometimes you might find out that your team has just being doing things because “it is they way they have always done it,” but the process is no longer needed.
Step 3: Prioritize
The first projects you can ditch are the ones you found out were no longer needed during Step 2. Next, eliminate anything that is not inline with business goals. You don’t have the resources to be going above and beyond. Finally, you may need to eliminate some security projects. This is not ideal, but it is the reality of your situation. Do a serious risk assessment of all your security projects and eliminate the ones with the least risk associated with them. At the Secure360 Conference, Yan Kravchenko presented on a new project that helps businesses prioritize application security programs. It may look simple right now as a few PDFs and spreadsheets, but the information you gain will help you make informed decisions on which security measures will be the least risky to eliminate.
Steps 4 & 5: Create a plan to eliminate processes and enact it
The most important part of Step 4 is making sure there are no business needs left unmet when you eliminate your processes. You may need to hand off some business needs to another department or come up with a simpler, less resource-consuming way for your department to meet it.
Yes, our jobs would be easier with unlimited resources, but that is just not the reality we are living in right now. Take the time to figure out how your company can do less and be more secure.