Understaffed, Overworked IT Departments Can Themselves Be Considered Security Risks

If you don’t think an understaffed team poses serious security risks, then consider the Exxon Valdez oil spill. A large oil tanker hit a reef and spilled hundreds of thousands of barrels of crude oil into Prince William Sound. The ship’s captain, Joseph J. Hazelwood, was portrayed in the media as the sole cause of the disaster, an irresponsible alcoholic who had gotten drunk on duty and left the bridge to sleep it off. But the findings of the U.S. National Transportation Safety Board (NTSB) paint a more complex and disturbing picture, indicating that an understaffed ship and an overworked crew that were too exhausted to manage the vessel securely were also important factors in the disaster. “The financial advantage derived from eliminating officers and crew from each vessel does not seem to justify incurring the foreseeable risks of serious accident,” the NTSB concluded.

Overworked, exhausted and understaffed — does that perhaps sound a bit like the folks manning the security operations center (SOC) or network operations center (NOC) at your company? In a survey reported by NetworkWorld, IT support teams are understaffed by 42 percent on average. Last year’s Global Information Security Workforce Study showed that 56 percent of respondents feel their security organizations are short-staffed.

The Risks of Tired Workers

Tired people are more likely to make mistakes. Research from the National Highway Traffic Safety Administration (NHTSA) shows that drowsy people have:

  • Slower reaction times
  • Reduced vigilance
  • Deficits in information processing

Does that sound like the kind of responder you want managing your computer emergency response center or SOC when advanced malware is detected or a data breach is occurring? If the SOC isn’t properly staffed, the security risks are relatively clear; an understaffed SOC is an IT Valdez waiting to happen.

But what about less adrenaline-soaked circumstances? Many IT security professionals live in constant fire-drill mode but under less critical circumstances. These workers are also overworked but may be more at risk for errors or inefficiencies posed by continuous partial attention (CPA), which leads to its own kind of exhaustion.

Consider a CISO who receives over 500 emails a day. On the daily to-do list is a summary of corporate security risks for the board, responding to findings from an auditor or assessor that found compliance issues, a review of vendors’ proposals for a new product purchase and managing the company’s formal response to the Heartbleed bug. Managing a constant stream of daily to-do items means that there’s little or no time to sit back and think strategically about where the company wants to be with regards to security and risk in five years. If security professionals don’t have time to analyze and digest — and space to think strategically — the end result is a reactive team that’s forever playing catch-up.

An effective risk management program takes time to build and roll out; trying to do it in the “spare time” between all the fire drills just doesn’t work. A smaller staff may look cost-effective on paper, but the long-term cost of serious accidents or even overspending on a security product that can’t be implemented or operated properly must be considered.

Getting Real About Staff Time

If you’ve never created an hourly matrix for your employees, you probably don’t have a realistic idea of where there time is going. When I worked for a large consulting firm, we had to get extremely granular about consulting hours to ensure we could deliver the project on-budget.

Take the same approach to your staffing. Look at each role and assign hours to each of the tasks that the person in that role is expected to accomplish. Though most of us work a lot more than 40 hours a week on average, start there. Unexpected deadlines hit security teams all the time, so if you size a role at 50 hours, you’re overworking people from the get-go.

Be extremely granular with where time goes. Does your company consider “answering email” as something that just happens, or has it been sized? If basic email response takes up two hours of a person’s day, that only leaves six hours for other work. Granted, sometimes answering email is the work; just factor it in.

How many meetings must an employee attend each week? What written deliverables are expected? Does the role require research or reading time to keep up with the latest advances in security or to dive into a vulnerability report or compliance standard? What about ongoing education and certification work?

In this very social media-oriented era, many of us are expected to be active in social communities, to tweet and blog. It’s not uncommon for these “extra” activities to be piled onto an average workweek without accounting for that time elsewhere.

As you work through a role-sizing matrix, you’ll uncover many other tasks not mentioned here, but hopefully these examples are useful to get you started. Interviewing people about what they do every day will also provide great data for a realistic sizing exercise.

Has your organization run the numbers? Is the financial benefit of running a lean, overworked tech staff justified? Or are you focusing on the short term without taking into account the long-term costs? If you have sized your staff, what did you find helped your company understand how people really spend their days? Please let us know in the comments or via Twitter @dianakelley14.

More from Risk Management

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Machine Learning Applications in the Cybersecurity Space

3 min read - Machine learning is one of the hottest areas in data science. This subset of artificial intelligence allows a system to learn from data and make accurate predictions, identify anomalies or make recommendations using different techniques. Machine learning techniques extract information from vast amounts of data and transform it into valuable business knowledge. While most industries use these techniques, they are especially prominent in the finance, marketing, healthcare, retail and cybersecurity sectors. Machine learning can also address new cyber threats. There…

3 min read

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read