May 9, 2014 By Diana Kelley 4 min read

Understaffed, Overworked IT Departments Can Themselves Be Considered Security Risks

If you don’t think an understaffed team poses serious security risks, then consider the Exxon Valdez oil spill. A large oil tanker hit a reef and spilled hundreds of thousands of barrels of crude oil into Prince William Sound. The ship’s captain, Joseph J. Hazelwood, was portrayed in the media as the sole cause of the disaster, an irresponsible alcoholic who had gotten drunk on duty and left the bridge to sleep it off. But the findings of the U.S. National Transportation Safety Board (NTSB) paint a more complex and disturbing picture, indicating that an understaffed ship and an overworked crew that were too exhausted to manage the vessel securely were also important factors in the disaster. “The financial advantage derived from eliminating officers and crew from each vessel does not seem to justify incurring the foreseeable risks of serious accident,” the NTSB concluded.

Overworked, exhausted and understaffed — does that perhaps sound a bit like the folks manning the security operations center (SOC) or network operations center (NOC) at your company? In a survey reported by NetworkWorld, IT support teams are understaffed by 42 percent on average. Last year’s Global Information Security Workforce Study showed that 56 percent of respondents feel their security organizations are short-staffed.

The Risks of Tired Workers

Tired people are more likely to make mistakes. Research from the National Highway Traffic Safety Administration (NHTSA) shows that drowsy people have:

  • Slower reaction times
  • Reduced vigilance
  • Deficits in information processing

Does that sound like the kind of responder you want managing your computer emergency response center or SOC when advanced malware is detected or a data breach is occurring? If the SOC isn’t properly staffed, the security risks are relatively clear; an understaffed SOC is an IT Valdez waiting to happen.

But what about less adrenaline-soaked circumstances? Many IT security professionals live in constant fire-drill mode but under less critical circumstances. These workers are also overworked but may be more at risk for errors or inefficiencies posed by continuous partial attention (CPA), which leads to its own kind of exhaustion.

Consider a CISO who receives over 500 emails a day. On the daily to-do list is a summary of corporate security risks for the board, responding to findings from an auditor or assessor that found compliance issues, a review of vendors’ proposals for a new product purchase and managing the company’s formal response to the Heartbleed bug. Managing a constant stream of daily to-do items means that there’s little or no time to sit back and think strategically about where the company wants to be with regards to security and risk in five years. If security professionals don’t have time to analyze and digest — and space to think strategically — the end result is a reactive team that’s forever playing catch-up.

An effective risk management program takes time to build and roll out; trying to do it in the “spare time” between all the fire drills just doesn’t work. A smaller staff may look cost-effective on paper, but the long-term cost of serious accidents or even overspending on a security product that can’t be implemented or operated properly must be considered.

Getting Real About Staff Time

If you’ve never created an hourly matrix for your employees, you probably don’t have a realistic idea of where there time is going. When I worked for a large consulting firm, we had to get extremely granular about consulting hours to ensure we could deliver the project on-budget.

Take the same approach to your staffing. Look at each role and assign hours to each of the tasks that the person in that role is expected to accomplish. Though most of us work a lot more than 40 hours a week on average, start there. Unexpected deadlines hit security teams all the time, so if you size a role at 50 hours, you’re overworking people from the get-go.

Be extremely granular with where time goes. Does your company consider “answering email” as something that just happens, or has it been sized? If basic email response takes up two hours of a person’s day, that only leaves six hours for other work. Granted, sometimes answering email is the work; just factor it in.

How many meetings must an employee attend each week? What written deliverables are expected? Does the role require research or reading time to keep up with the latest advances in security or to dive into a vulnerability report or compliance standard? What about ongoing education and certification work?

In this very social media-oriented era, many of us are expected to be active in social communities, to tweet and blog. It’s not uncommon for these “extra” activities to be piled onto an average workweek without accounting for that time elsewhere.

As you work through a role-sizing matrix, you’ll uncover many other tasks not mentioned here, but hopefully these examples are useful to get you started. Interviewing people about what they do every day will also provide great data for a realistic sizing exercise.

Has your organization run the numbers? Is the financial benefit of running a lean, overworked tech staff justified? Or are you focusing on the short term without taking into account the long-term costs? If you have sized your staff, what did you find helped your company understand how people really spend their days? Please let us know in the comments or via Twitter @dianakelley14.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today