Enterprise security operations teams find themselves stretched thin and contending with an escalating cyber threat landscape today. Many are understaffed and underfunded, leaving CISOs on edge about the consequences for the enterprise — and their careers.
A recent survey from Adaptavist about fallout from last summer’s CrowdStrike outage found that two out of five (39%) IT leaders “warn that excessive workloads” could lead to a major incident for their companies. “The ongoing war for IT talent is likely exacerbating these issues,” the survey’s writers concluded.
John Price, CEO at Cleveland-based security firm SubRosa, underscored the reality many CISOs and their teams currently face.
“The sheer volume of alerts, coupled with the complexity of modern attack surfaces, has created a near-constant state of overwhelm for many security professionals,” he said. “We are operating still in a reactive security mindset. In some cases, a successful cyberattack can be the driving force behind getting the budget you need.”
Cutting (and delegating) workload bloat
Given this situation, security specialists encourage CISOs to consider new ways of engaging their overstretched teams — and helping them keep sharp.
One of the most effective ways to minimize security risk when working with suboptimal resources and people is to “strictly triage what your team is doing,” said Jim Boehm, an expert partner at consulting firm McKinsey.
“This would amount to robust demand management,” Boehm said, suggesting that team tasks that could be discarded could include architecture board review meetings and “chasing things for an internal audit.”
“Why have four or five people in an hour-long [review] meeting where they are just going to argue?” Boehm asked. “I would rather them review the security posture of a potential acquisition. It’s all about taking a risk-based look at everything, not just your assets and controls but what your people are doing.”
Boehm also suggested embracing the LOB dual-embedding mechanisms within DevSecOps. Ideally, that could help reduce security issues by training non-security colleagues in security thinking.
“Developers, for example, hate to be considered engineers. They hate constriction. They want to be artists [and deliver] no documentation,” Boehm said.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!