Home > Information Security > Infosec Impacts from Understaffing

Infosec Impacts from Understaffing

March 5th, 2009

***Update: I have not received many responses from this, so I have created an anonymous Web survey here –D ***

The economy right now is “teh suck”.

I’m not telling anyone something that they don’t know. You can’t read the news anywhere right now without being assaulted with horrid financial news. For any of my infosec “extended family” hoping to retire soon – hope you got it under your mattress, and I’m sorry.

But let’s get back to today. You’re working in information security – maybe you’re the intrusion analyst, monitoring sensors and alerts, or the forensic gal staring into the EnCase console, or the “go to” security wonk who does a bit of everything. Whatever the case, you have a few specialties (most of us do), or things that you have traditionally been tasked with and enjoy or hate doing. There’s the initial premise. NOW…

Back to the economy. Budgets are frozen. Or hacked and slashed. Maybe even increased a bit, BUT…no more headcount. And very likely fewer headcount. So here’s the rub: You’re wearing a lot of hats. You’ve got more responsibilities than ever, some of which you love, others you may hate. The question though: what’s changing in your organization’s security program as a result of too few people to do all the work? On the GIAC mailing list, a fine fellow named Frank suggested that he would be a bit less stringent in his Web filtering policies if he had a little more bandwidth: right now, he’s so taxed that he has no time to reprimand people or debate what sites are questionably OK to allow. He’s getting CRUSHED. And I feel for him – you probably do, too.

So, a few questions I’d love to hear back on:

  1. What types of policy changes and over-arching security philosophy/mindset/risk tolerance changes are occurring as a result of fewer staff?
  2. What types of security operations are taking a hit? Reviewing logs or IDS info less often? Resolving change/exception tickets more slowly for firewall and other access?
  3. What items are first to go out of the budget? Maybe just technology plans, etc.
  4. What tasks are you really trying to automate, and how are you prioritizing? By skill needed? Time needed? Services or consulting costs needed? Etc.

Thanks for reading!

–Shack

Categories: Information Security Tags:
  1. Mark Modisette
    May 14th, 2009 at 20:44 | #1

    Yo Shack – just found your site and I’m digging it.

    Here goes – This is a sensitive subject just now. I am seeing something take place in my area… In the last 2 weeks I’ve seen:
    -split tunneling and questions like”what’s the REAL risk”
    -Personal computers in the enterprise and questions like “whats the REAL risk”
    -Forklifting firewall configs from a a 9+ year old firewall to a new one and questions like…you know

    They are wearing me out – the economy is forcing focused decisions on efforts that will show a cost savings. Security has few opportunities like this…ROI with security opps…like an an oxy moron.

    I must be getting sloppy in my old age but my description of the issues is followed up with “nothing’s happened so far…”

Comments are closed.