May 9, 2014 By Diana Kelley 4 min read

Understaffed, Overworked IT Departments Can Themselves Be Considered Security Risks

If you don’t think an understaffed team poses serious security risks, then consider the Exxon Valdez oil spill. A large oil tanker hit a reef and spilled hundreds of thousands of barrels of crude oil into Prince William Sound. The ship’s captain, Joseph J. Hazelwood, was portrayed in the media as the sole cause of the disaster, an irresponsible alcoholic who had gotten drunk on duty and left the bridge to sleep it off. But the findings of the U.S. National Transportation Safety Board (NTSB) paint a more complex and disturbing picture, indicating that an understaffed ship and an overworked crew that were too exhausted to manage the vessel securely were also important factors in the disaster. “The financial advantage derived from eliminating officers and crew from each vessel does not seem to justify incurring the foreseeable risks of serious accident,” the NTSB concluded.

Overworked, exhausted and understaffed — does that perhaps sound a bit like the folks manning the security operations center (SOC) or network operations center (NOC) at your company? In a survey reported by NetworkWorld, IT support teams are understaffed by 42 percent on average. Last year’s Global Information Security Workforce Study showed that 56 percent of respondents feel their security organizations are short-staffed.

The Risks of Tired Workers

Tired people are more likely to make mistakes. Research from the National Highway Traffic Safety Administration (NHTSA) shows that drowsy people have:

  • Slower reaction times
  • Reduced vigilance
  • Deficits in information processing

Does that sound like the kind of responder you want managing your computer emergency response center or SOC when advanced malware is detected or a data breach is occurring? If the SOC isn’t properly staffed, the security risks are relatively clear; an understaffed SOC is an IT Valdez waiting to happen.

But what about less adrenaline-soaked circumstances? Many IT security professionals live in constant fire-drill mode but under less critical circumstances. These workers are also overworked but may be more at risk for errors or inefficiencies posed by continuous partial attention (CPA), which leads to its own kind of exhaustion.

Consider a CISO who receives over 500 emails a day. On the daily to-do list is a summary of corporate security risks for the board, responding to findings from an auditor or assessor that found compliance issues, a review of vendors’ proposals for a new product purchase and managing the company’s formal response to the Heartbleed bug. Managing a constant stream of daily to-do items means that there’s little or no time to sit back and think strategically about where the company wants to be with regards to security and risk in five years. If security professionals don’t have time to analyze and digest — and space to think strategically — the end result is a reactive team that’s forever playing catch-up.

An effective risk management program takes time to build and roll out; trying to do it in the “spare time” between all the fire drills just doesn’t work. A smaller staff may look cost-effective on paper, but the long-term cost of serious accidents or even overspending on a security product that can’t be implemented or operated properly must be considered.

Getting Real About Staff Time

If you’ve never created an hourly matrix for your employees, you probably don’t have a realistic idea of where there time is going. When I worked for a large consulting firm, we had to get extremely granular about consulting hours to ensure we could deliver the project on-budget.

Take the same approach to your staffing. Look at each role and assign hours to each of the tasks that the person in that role is expected to accomplish. Though most of us work a lot more than 40 hours a week on average, start there. Unexpected deadlines hit security teams all the time, so if you size a role at 50 hours, you’re overworking people from the get-go.

Be extremely granular with where time goes. Does your company consider “answering email” as something that just happens, or has it been sized? If basic email response takes up two hours of a person’s day, that only leaves six hours for other work. Granted, sometimes answering email is the work; just factor it in.

How many meetings must an employee attend each week? What written deliverables are expected? Does the role require research or reading time to keep up with the latest advances in security or to dive into a vulnerability report or compliance standard? What about ongoing education and certification work?

In this very social media-oriented era, many of us are expected to be active in social communities, to tweet and blog. It’s not uncommon for these “extra” activities to be piled onto an average workweek without accounting for that time elsewhere.

As you work through a role-sizing matrix, you’ll uncover many other tasks not mentioned here, but hopefully these examples are useful to get you started. Interviewing people about what they do every day will also provide great data for a realistic sizing exercise.

Has your organization run the numbers? Is the financial benefit of running a lean, overworked tech staff justified? Or are you focusing on the short term without taking into account the long-term costs? If you have sized your staff, what did you find helped your company understand how people really spend their days? Please let us know in the comments or via Twitter @dianakelley14.

More from Risk Management

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today