Your organization’s greatest security resources are people. They see the trouble spots and can intelligently investigate incidents and raise red flags (often at a higher level than the green-yellow-red lights on system dashboards). They keep the lights on, the employees working, the customers satisfied, the bad guys at bay.
But organizations aren’t hiring as many security professionals as they need, and very often, it’s not because of budgetary pressures. It’s because they can’t find skilled people. No matter how you slice it, creating a security professional with 10 years of experience takes … well, 10 years. All of this makes it imperative to use your security professionals in the most effective way possible to make your organization as secure as possible and make their jobs interesting and rewarding so that you retain top talent.
Tip #1: Take humans away from the daily techno-drudgery
Start by freeing up your security professionals from mundane, repetitive tasks. That often means automation. I don’t mean automation to replace staff, but automation to elevate your most skilled professionals to focus on security initiatives that increasingly support the competitiveness of the business.
Work with your team to identify the tasks that are most ripe for automation, including those where security policies are followed in a straightforward manner, where it might be hard to spot an admin’s mistakes and where mistakes can threaten security and increase risk. If many “things” have to be touched in order to accomplish a task, that’s where automation can save precious human resources, a tremendous amount of time and significantly reduce errors.
Tip #2: Let software do the heavy, repetitive lifting
Validating security is a related area where automation can deliver huge efficiencies by eliminating human labor. Humans find this kind of work slow and laborious, and might take weeks to perform a routine audit. Automation can do that job in minutes. Not only that, but automation is far more likely to do an accurate job. Humans do not excel at repetitive, detail-oriented tasks such as updating a hundred firewall devices with a new policy, or validating that their settings conform to policies. Humans make mistakes, possibly miss a setting or forget to save a change. Automation will get it done not only faster, but more accurately — and can log everything it does, without complaining about the paperwork.
Tip #3: Automate audit preparation
Preparing for audits remains an incredibly time-consuming and potentially error-prone activity that takes precious times from strategic security initiatives. Audit preparation can vary from the mundane to the insane – like documenting backups, checking firewall configurations, validating that files are properly encrypted, making sure patches have been applied, and so-on. Audits can be all-consuming, and require significant human intervention but this time and effort can be saved through automation.
Tip #4: Offload security operational tasks to the IT operations teams
In many organizations, security teams often handle operational tasks that touch on security. Consider offloading these tasks to IT operations so that security staff can focus purely on security-related tasks. Since the general IT market has not witnessed the same growth in demand for skilled employees as security, hiring IT Ops personnel is often less of a challenge.
Tip #5: Make “tribal knowledge” available to all
In too many organizations, critical knowledge is not hoarded in notebooks or SQL databases, but in human memory. Think about the veteran network architects who know the system inside and out, including where the “official” plans don’t represent the physical reality. We call that information “tribal knowledge.” While those individuals (who I like to call Network Ned) are corporate treasures, it’s simply not good policy to silo tribal knowledge within cranial wetware. Not only are you going to have a bad day when these people leave the company, it also makes ramping up new and lesser-skilled engineers a lot slower and more difficult. If you can use software tools to document the reality of the network and its security configurations, Network Ned won’t have to be a corporate Wikipedia of critical data. Instead, Network Ned can apply his/her talents to driving innovation and adding value to the business.
Tip #6: Use scarce, hard-to-find security professionals smarter
We are all under pressure to improve the efficiency of our security teams. But we are also under pressure to strengthen the business by increasing competiveness and agility -- without increasing risk. Security professionals can play an important role in this through big-picture thinking, problem solving, and finding better ways to manage risk. My suggestion is to take repetitive tasks off their plates. This will free them to execute many of those tasks more efficiently and more accurately. That’s how we do more with less in today’s security-intensive world.