Understaffed, Overworked IT Departments Can Themselves Be Considered Security Risks

If you don’t think an understaffed team poses serious security risks, then consider the Exxon Valdez oil spill. A large oil tanker hit a reef and spilled hundreds of thousands of barrels of crude oil into Prince William Sound. The ship’s captain, Joseph J. Hazelwood, was portrayed in the media as the sole cause of the disaster, an irresponsible alcoholic who had gotten drunk on duty and left the bridge to sleep it off. But the findings of the U.S. National Transportation Safety Board (NTSB) paint a more complex and disturbing picture, indicating that an understaffed ship and an overworked crew that were too exhausted to manage the vessel securely were also important factors in the disaster. “The financial advantage derived from eliminating officers and crew from each vessel does not seem to justify incurring the foreseeable risks of serious accident,” the NTSB concluded.

Overworked, exhausted and understaffed — does that perhaps sound a bit like the folks manning the security operations center (SOC) or network operations center (NOC) at your company? In a survey reported by NetworkWorld, IT support teams are understaffed by 42 percent on average. Last year’s Global Information Security Workforce Study showed that 56 percent of respondents feel their security organizations are short-staffed.

The Risks of Tired Workers

Tired people are more likely to make mistakes. Research from the National Highway Traffic Safety Administration (NHTSA) shows that drowsy people have:

  • Slower reaction times
  • Reduced vigilance
  • Deficits in information processing

Does that sound like the kind of responder you want managing your computer emergency response center or SOC when advanced malware is detected or a data breach is occurring? If the SOC isn’t properly staffed, the security risks are relatively clear; an understaffed SOC is an IT Valdez waiting to happen.

But what about less adrenaline-soaked circumstances? Many IT security professionals live in constant fire-drill mode but under less critical circumstances. These workers are also overworked but may be more at risk for errors or inefficiencies posed by continuous partial attention (CPA), which leads to its own kind of exhaustion.

Consider a CISO who receives over 500 emails a day. On the daily to-do list is a summary of corporate security risks for the board, responding to findings from an auditor or assessor that found compliance issues, a review of vendors’ proposals for a new product purchase and managing the company’s formal response to the Heartbleed bug. Managing a constant stream of daily to-do items means that there’s little or no time to sit back and think strategically about where the company wants to be with regards to security and risk in five years. If security professionals don’t have time to analyze and digest — and space to think strategically — the end result is a reactive team that’s forever playing catch-up.

An effective risk management program takes time to build and roll out; trying to do it in the “spare time” between all the fire drills just doesn’t work. A smaller staff may look cost-effective on paper, but the long-term cost of serious accidents or even overspending on a security product that can’t be implemented or operated properly must be considered.

Getting Real About Staff Time

If you’ve never created an hourly matrix for your employees, you probably don’t have a realistic idea of where there time is going. When I worked for a large consulting firm, we had to get extremely granular about consulting hours to ensure we could deliver the project on-budget.

Take the same approach to your staffing. Look at each role and assign hours to each of the tasks that the person in that role is expected to accomplish. Though most of us work a lot more than 40 hours a week on average, start there. Unexpected deadlines hit security teams all the time, so if you size a role at 50 hours, you’re overworking people from the get-go.

Be extremely granular with where time goes. Does your company consider “answering email” as something that just happens, or has it been sized? If basic email response takes up two hours of a person’s day, that only leaves six hours for other work. Granted, sometimes answering email is the work; just factor it in.

How many meetings must an employee attend each week? What written deliverables are expected? Does the role require research or reading time to keep up with the latest advances in security or to dive into a vulnerability report or compliance standard? What about ongoing education and certification work?

In this very social media-oriented era, many of us are expected to be active in social communities, to tweet and blog. It’s not uncommon for these “extra” activities to be piled onto an average workweek without accounting for that time elsewhere.

As you work through a role-sizing matrix, you’ll uncover many other tasks not mentioned here, but hopefully these examples are useful to get you started. Interviewing people about what they do every day will also provide great data for a realistic sizing exercise.

Has your organization run the numbers? Is the financial benefit of running a lean, overworked tech staff justified? Or are you focusing on the short term without taking into account the long-term costs? If you have sized your staff, what did you find helped your company understand how people really spend their days? Please let us know in the comments or via Twitter @dianakelley14.

More from Risk Management

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

How the Silk Road Affair Changed Law Enforcement

The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin. Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison. But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…