In almost every Information Security department I know of, there is too much to do and too few resources to do it. If you work in a department where that is NOT the case, please reach out to me and let me know – you’ll be the rare exception and I’d love to talk with you.
In this environment, I’m often asked how we can manage the workload in a responsible manner. It’s not easy, but I’m going to provide three ideas for you to consider. Everything we do involves people, process, and technology (in that order, by the way) but your approach to improving your security posture should likely be technology, people, process -
1. Do the stupid stuff first
Here’s the bottom line: it is almost indefensible to have a breach because you failed to patch a vulnerability that’s been known about for years. I say “almost” because there are many complexities to patching and there are many layers of vulnerability patching. Sometimes organizations have legacy systems that cannot be removed from service, they can’t be patched and you’ve done everything else you reasonably can to protect the asset – thus “almost.” That said, if you and your team do not have an organized and thoughtful patching process in place, start here. I read about so many breaches that were caused by unpatched vulnerabilities. So, start here and focus on this until you’ve got it down to a repeatable process (see #3 for more). It doesn’t matter if you have the most sophisticated AI monitoring system or the most advanced firewalls if you’re not taking care of the basics. While there are sophisticated attacks that go far beyond these basic vulnerabilities, you really don’t want some teenage hack in their basement hangout getting into your systems because you failed to patch a vulnerability that was known five years ago, do you?
2. Involve everyone in IT
One of the biggest challenges in Information Security is getting beyond the borders of the team. In some organizations, InfoSec is seen as the problem of just that team. In reality, information security is the responsibility of everyone in the organization but before you try to cast that wide a net, make sure that everyone in your IT department, including your Service Desk folks, your application folks, and your system admins understand that security is one of their primary job duties. Think about it – every change they make has the potential to open a vulnerability – so everything they do DOES have a potential security implication. Educate your entire department (and hold the department managers accountable) for participating in information security. The InfoSec team may be experts in identifying opportunities for improvement or potential vulnerabilities/gaps, but the IT department staff are responsible for addressing those. Rather than allowing that to feel like “us/them” it should feel like a team effort, because ultimately, we are all in this together and if our systems are not secured, we’re all at risk.
3. Improve your processes
As I mentioned earlier, you should keep an eye on improving your processes. I always hear “but we’re too busy doing our work to add something else to the mix” (and I often feel that way myself). The reality is that you can incorporate process improvement into your busy schedule and your work in progress in ways that are easier than you might imagine. Start here: create standard work (aka documented processes) for the things you do every day or frequently such as patching. How is patching done – exactly? Could you hand your document to a new hire and hand patching off to them reliably? If not, then your documentation is not complete or accurate. If the answer is yes (or yes, but I wouldn’t just hand it to them and let them wander off – fair enough), then look to your next process and your next one after that. Document the right way to do things. You’ve probably read this next statement a hundred times, but there’s a reason why airplane travel is so safe – pilots walk through the same checklist the same way before every flight – because their lives depend on it. So, create this same notion of standard work and processes for the basic work your team does and you’ll improve security (by reducing errors and variation) and you’ll free up time to work on more improvements. Guaranteed.
These three ideas on improving security are not rocket science, they are not difficult, and they are not expensive. If you are time, funding or staffing constrained (and who isn’t?), focus on these areas. Once these are rock solid, you will have improved your security posture and you’ll be in a very defendable position. So, what are you waiting for?