Infosec Impacts from Understaffing
***Update: I have not received many responses from this, so I have created an anonymous Web survey here –D ***
The economy right now is “teh suck”.
I’m not telling anyone something that they don’t know. You can’t read the news anywhere right now without being assaulted with horrid financial news. For any of my infosec “extended family” hoping to retire soon – hope you got it under your mattress, and I’m sorry.
But let’s get back to today. You’re working in information security – maybe you’re the intrusion analyst, monitoring sensors and alerts, or the forensic gal staring into the EnCase console, or the “go to” security wonk who does a bit of everything. Whatever the case, you have a few specialties (most of us do), or things that you have traditionally been tasked with and enjoy or hate doing. There’s the initial premise. NOW…
Back to the economy. Budgets are frozen. Or hacked and slashed. Maybe even increased a bit, BUT…no more headcount. And very likely fewer headcount. So here’s the rub: You’re wearing a lot of hats. You’ve got more responsibilities than ever, some of which you love, others you may hate. The question though: what’s changing in your organization’s security program as a result of too few people to do all the work? On the GIAC mailing list, a fine fellow named Frank suggested that he would be a bit less stringent in his Web filtering policies if he had a little more bandwidth: right now, he’s so taxed that he has no time to reprimand people or debate what sites are questionably OK to allow. He’s getting CRUSHED. And I feel for him – you probably do, too.
So, a few questions I’d love to hear back on:
- What types of policy changes and over-arching security philosophy/mindset/risk tolerance changes are occurring as a result of fewer staff?
- What types of security operations are taking a hit? Reviewing logs or IDS info less often? Resolving change/exception tickets more slowly for firewall and other access?
- What items are first to go out of the budget? Maybe just technology plans, etc.
- What tasks are you really trying to automate, and how are you prioritizing? By skill needed? Time needed? Services or consulting costs needed? Etc.
Thanks for reading!