Making Security Work When Staffing is Tight
When you can't afford new hires, there are plenty of ways to give the people you have better security scruples. (Part One in a series: How to Manage Security in a Recession)
By Bill Brenner , Senior Editor
June 19, 2008 —
About this series: Smaller staff. Deflated security budgets. In-store thievery. When economic times are tough, these are the things security pros must contend with. In this ongoing series, CSO magazine looks at ways to ensure the best security possible during a recession.
One of the basics of Security Management 101 is that you should make the most of the staff you have and get them as much training as possible. But it's easy to lose sight of that when times are good, operating budgets are fat and attention shifts to hiring more bodies and investing in the latest commercial security tools.
The conventional wisdom is that security is a safe sector to work in during the current economic slowdown, since companies always need security pros to help ensure regulatory compliance, prevent data breaches, and protect assets and revenue. But industry experts warn against complacency. After all, they say, security hiring can take a hit along with everything else when times get tough.
"Many businesses decide to cut back on security when times get tough, and realistically this should be a time where adequate or even increased security makes more sense," says Roger H. Schmedlen, a Michigan-based consultant specializing in physical security and loss prevention. "Security is often hard to justify in a measurable way. When there are few apprehensions, this is often because security has minimized the exposure and is doing a good job. But management may take this to mean that there is little need for security."
To maintain security during a staff shortage, experts say it's important - even critical - to pour time and money into security awareness programs and training to boost the security savvy of existing employees, whether they work in that area or not.
Meanwhile, experts say security can be maintained during staff shortages through strict enforcement of industry standards and regulations.
"Probably the most important thing a company can do is invest in the education and training of staff," says John Bambenek, a security consultant from Illinois.
Making all employees part of the security team
Bambenek, who specializes in network security, intrusion detection and forensics, notes there are plenty of open source tools available for security shops that can't afford the latest and greatest defensive mechanisms. Existing commercial tools can also be better maintained or tweaked with the right scripts. But to make these things work, employees need constant training, he says, adding that "trained staff know how to make the most of their abilities to get the job done, even without commercial tools."