May 9, 2014 By Diana Kelley 4 min read

Understaffed, Overworked IT Departments Can Themselves Be Considered Security Risks

If you don’t think an understaffed team poses serious security risks, then consider the Exxon Valdez oil spill. A large oil tanker hit a reef and spilled hundreds of thousands of barrels of crude oil into Prince William Sound. The ship’s captain, Joseph J. Hazelwood, was portrayed in the media as the sole cause of the disaster, an irresponsible alcoholic who had gotten drunk on duty and left the bridge to sleep it off. But the findings of the U.S. National Transportation Safety Board (NTSB) paint a more complex and disturbing picture, indicating that an understaffed ship and an overworked crew that were too exhausted to manage the vessel securely were also important factors in the disaster. “The financial advantage derived from eliminating officers and crew from each vessel does not seem to justify incurring the foreseeable risks of serious accident,” the NTSB concluded.

Overworked, exhausted and understaffed — does that perhaps sound a bit like the folks manning the security operations center (SOC) or network operations center (NOC) at your company? In a survey reported by NetworkWorld, IT support teams are understaffed by 42 percent on average. Last year’s Global Information Security Workforce Study showed that 56 percent of respondents feel their security organizations are short-staffed.

The Risks of Tired Workers

Tired people are more likely to make mistakes. Research from the National Highway Traffic Safety Administration (NHTSA) shows that drowsy people have:

  • Slower reaction times
  • Reduced vigilance
  • Deficits in information processing

Does that sound like the kind of responder you want managing your computer emergency response center or SOC when advanced malware is detected or a data breach is occurring? If the SOC isn’t properly staffed, the security risks are relatively clear; an understaffed SOC is an IT Valdez waiting to happen.

But what about less adrenaline-soaked circumstances? Many IT security professionals live in constant fire-drill mode but under less critical circumstances. These workers are also overworked but may be more at risk for errors or inefficiencies posed by continuous partial attention (CPA), which leads to its own kind of exhaustion.

Consider a CISO who receives over 500 emails a day. On the daily to-do list is a summary of corporate security risks for the board, responding to findings from an auditor or assessor that found compliance issues, a review of vendors’ proposals for a new product purchase and managing the company’s formal response to the Heartbleed bug. Managing a constant stream of daily to-do items means that there’s little or no time to sit back and think strategically about where the company wants to be with regards to security and risk in five years. If security professionals don’t have time to analyze and digest — and space to think strategically — the end result is a reactive team that’s forever playing catch-up.

An effective risk management program takes time to build and roll out; trying to do it in the “spare time” between all the fire drills just doesn’t work. A smaller staff may look cost-effective on paper, but the long-term cost of serious accidents or even overspending on a security product that can’t be implemented or operated properly must be considered.

Getting Real About Staff Time

If you’ve never created an hourly matrix for your employees, you probably don’t have a realistic idea of where there time is going. When I worked for a large consulting firm, we had to get extremely granular about consulting hours to ensure we could deliver the project on-budget.

Take the same approach to your staffing. Look at each role and assign hours to each of the tasks that the person in that role is expected to accomplish. Though most of us work a lot more than 40 hours a week on average, start there. Unexpected deadlines hit security teams all the time, so if you size a role at 50 hours, you’re overworking people from the get-go.

Be extremely granular with where time goes. Does your company consider “answering email” as something that just happens, or has it been sized? If basic email response takes up two hours of a person’s day, that only leaves six hours for other work. Granted, sometimes answering email is the work; just factor it in.

How many meetings must an employee attend each week? What written deliverables are expected? Does the role require research or reading time to keep up with the latest advances in security or to dive into a vulnerability report or compliance standard? What about ongoing education and certification work?

In this very social media-oriented era, many of us are expected to be active in social communities, to tweet and blog. It’s not uncommon for these “extra” activities to be piled onto an average workweek without accounting for that time elsewhere.

As you work through a role-sizing matrix, you’ll uncover many other tasks not mentioned here, but hopefully these examples are useful to get you started. Interviewing people about what they do every day will also provide great data for a realistic sizing exercise.

Has your organization run the numbers? Is the financial benefit of running a lean, overworked tech staff justified? Or are you focusing on the short term without taking into account the long-term costs? If you have sized your staff, what did you find helped your company understand how people really spend their days? Please let us know in the comments or via Twitter @dianakelley14.

More from Risk Management

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today