Getting Things Done in the InfoSec world…

Many times individuals in an Information Security role feel that they’re treading water – running around fighting fires while the security posture of the organization that they work at remains unchanged and the fires just keep spreading.  Unfortunately, many organizations don’t encourage, reward, and/or provide time and resources for their InfoSec practitioners to actually improve security, and success is simply measured around how many fires were put out in the last x period of time (as well as how the team responded to said fires).  Now, I know that many organizations have teams (i.e. Incident Response Teams) that are dedicated to “fighting fires” and that’s a good thing.  However, many IT Security personnel (and IT workers in general) time after time find themselves in a position to make a real measurable impact and are stymied for one reason or another.  I’m writing this blog post to give you hope and hopefully help you deal with the major items that are, in all appearances, looming roadblocks to you actually making a meaningful impact.

Not Enough Money

This is a very common roadblock and is one that I’m sure you’ve all experienced at some point in your career.  Most companies have limited resources, especially when it comes to IT Security, and management generally prefer to accept risks rather than pay upfront to protect against the possibility of said risk occurring, especially when the cost to mitigate the risk is significant.  If you don’t take the right approach in your presentation of a solution, management will just end up seeing the dollar signs associated with a new technology that you’re proposing rather than the value the solution brings to the table.

So…you need to be strategic.  In my opinion, providing information to management so that they can make informed IT Security related spending decisions is relatively straight forward:

  1. Define your threat.
  2. Define the probability of the threat actually occurring.
  3. Define the probable impact that the threat would have on the organization, and the cost of the impact (if possible).
  4. Finally, define a cost to mitigate the threat (or a number of cost options for varying degrees of mitigation).

Of course, this is easier said than done – however, the bottom line is that you want to communicate to management how a proposed solution is going to cost-effectively mitigate a well-defined risk.

Sometimes, even though you may have convinced your management of the merits of incurring costs to protect against a defined risk, it is just the case that your company really doesn’t have the funds available.  So this is where you’ll need to be creative – if you truly/strongly believe that a risk needs to be mitigated and you have management buy-in, you can usually come up with some options to mitigate the risk that do not involve your company actually spending money (short of your or your team’s time).  Sure, these solutions most likely are not as effective as your originally proposed solution, but at this point a little protection is better than none (as a side note, remember that there is no such thing as realistic complete protection) and you can provide value to your organization.  Just make sure that you are very clear as to the limitations, etc of your new solution so that no-one assumes protections exists where there may be none.

No matter the financial environment at your organization, it is always a good strategy to come into a presentation prepared with a number of solutions ranging in cost and accompany each solution with an explanation of what level of mitigation it provides.  The more prepared you are, the higher the chance of success and the greater the value you bring to your organization.

Not Enough Time

So you’ve gotten past the initial roadblock of not having enough money and management has tasked you with implementing your proposed solution.  The only problem is: you’re slammed with work (i.e. firefighting) and really don’t have the time to actually plan, test, implement, etc.  You could always go back to your management and ask for some professional services dollars, but even with help, you’re still going to have to dedicate some of your time (albeit less).  So, here you are with approval to make an impact on your organization’s security stance, but you don’t actually feel like you have the time to make that impact.

Obviously, working more hours gets you more time – but the principal problem here is probably not that you need more hours, but that you need to allocate/prioritize your time a bit differently to support doing more than simply firefighting.  You’re going to need management buy-in for this one and convincing management to allow you to step back from firefighting to do some project work can be similar to actually “selling” the initial project (and should probably be done at the same time).  But don’t worry – since your management has already bought into supporting the project (at least financially), it shouldn’t be that much of a stretch to allow you to re-prioritize your time to support the implementation of said project.  Here are a couple of key discussion points you probably want to focus on when talking around task/time priortization:

  • Delayed completion of other tasks: once complete, the project should actually reduce the amount of time spent firefighting either by way of mitigating a threat and/or making you more efficient.  Depending on the benefit that the project is bringing to the table, some “fires” may be able to smolder while you work on moving things forward.
  • Task prioritization: continuing on with the previous point, it is better to have already defined what type of “fire” you can delay putting out versus one that needs immediate attention.  A clear understanding of task priorities will allow you to know where your project fits in alongside your operational/firefighting tasks; it will also become clear as to whether you can feasibly accomplish your project or not (i.e. you already have a full-time job’s worth of “Critical” tasks).  Finally, you may need to work with your management to further re-prioritize your tasks, allocate more resources, etc.  Don’t give up on your project – if you truly believe that it will bring a significant benefit to your organization, work to convince your management of that!

Like money, for most organizations (and people) time is a limited/scarce resource and getting management buy-in to use your time for a specific project can sometimes be even more difficult than getting money allocated.  I highly recommend that you combine the time and money discussions into one, so that when you get full buy-in you already know that you have both the time and money available to be successful.

Overwhelming Obstacles

OK – if you’ve gotten this far you’ve taken care of some significant roadblocks, so be encouraged!  But alas you’ll probably end up hitting a few more speed bumps, one of which is people.  There are a number of obstacles that can come up during a project, but one of the major ones that you’ll see time and time again is people within your organization (hopefully outside of your team/group).  They generally mean well and oppose your project for good reasons, so it is important that you keep that in mind when someone within your organization is either choosing to be unhelpful, active opposing your project, etc.  Again, you’re going to need put on your “sales” hat (sense the recurring theme? 😎 ) and work to convince people of the merits of what you’re doing.  You should focus on:

  • Understanding why they don’t think it is a good idea and then showing them that it is actually a good idea – keep an open mind though, as a lot of time as you’re discussing your project people will bring up very good points that you should seriously consider.
  • Keeping the end-goal in mind (what you’re actually *trying* to do) and be reasonable with the *how* you’re going to accomplish this goal.  If people don’t agree with the way you’re trying to accomplish your goal, then perhaps you can come up with an alternative approach that the key players can agree on (while still accomplishing the same end result).
  • Showing how your project adds value to the organization and to their team.  Understanding what their team does and how they work can be helpful as part of this demonstration.

At some point, if you cannot get agreement between the key players, you’ll need to get management involved (hopefully upper-levels that you have convinced on the merits of your project) and directives can be made to influence agreement at lower organization levels.  This is definitely a worst case scenario, and you should attempt to get reasonable buy-in before resorting to this strategy.

Overwhelming Situation

You most likely feel like you’re treading water for a reason – so many tasks, so many fires, so many holes, so little time.  There are times that you can feel completely overwhelmed by your situation and perhaps even your project itself could feel overwhelming.  Here’s a good key to actually making an impact: take small doable steps to incrementally improve your organization’s situation.  Identify an item that you can accomplish as part of your project and *do it*.  Don’t sit back and let the sheer weight of everything else going on overwhelm you.  Pick a bite-sized chunk of what you’re needing to work on and then *do it*.  Of course, it is important to keep the big picture in mind, but if you stay so focussed on everything that needs to be accomplished for that big picture to be done, you’ll end up feeling like you’re unable to make any impact at all.  You can make an impact!  Even completing a small task and moving your organization forward in the area of IT Security can have sizable long-term organizational benefits.

So – make it a goal to impact your organization, prepare and sell your ideas to your management and teams around you, and then take incremental steps to move your organization forward.  Before you know it, you’ll be floating down the river in a log raft – which is better than just treading water.