Making Security Work When Staffing is Tight

About this series: Smaller staff. Deflated security budgets. In-store thievery. When economic times are tough, these are the things security pros must contend with. In this ongoing series, CSO magazine looks at ways to ensure the best security possible during a recession.

One of the basics of Security Management 101 is that you should make the most of the staff you have and get them as much training as possible. But it’s easy to lose sight of that when times are good, operating budgets are fat and attention shifts to hiring more bodies and investing in the latest commercial security tools.

The conventional wisdom is that security is a safe sector to work in during the current economic slowdown, since companies always need security pros to help ensure regulatory compliance, prevent data breaches, and protect assets and revenue. But industry experts warn against complacency. After all, they say, security hiring can take a hit along with everything else when times get tough.

“Many businesses decide to cut back on security when times get tough, and realistically this should be a time where adequate or even increased security makes more sense,” says Roger H. Schmedlen, a Michigan-based consultant specializing in physical security and loss prevention. “Security is often hard to justify in a measurable way. When there are few apprehensions, this is often because security has minimized the exposure and is doing a good job. But management may take this to mean that there is little need for security.”

To maintain security during a staff shortage, experts say it’s important – even critical – to pour time and money into security awareness programs and training to boost the security savvy of existing employees, whether they work in that area or not.

Meanwhile, experts say security can be maintained during staff shortages through strict enforcement of industry standards and regulations.

“Probably the most important thing a company can do is invest in the education and training of staff,” says John Bambenek, a security consultant from Illinois.

Making all employees part of the security team

Bambenek, who specializes in network security, intrusion detection and forensics, notes there are plenty of open source tools available for security shops that can’t afford the latest and greatest defensive mechanisms. Existing commercial tools can also be better maintained or tweaked with the right scripts. But to make these things work, employees need constant training, he says, adding that “trained staff know how to make the most of their abilities to get the job done, even without commercial tools.”

When a company must make do with a smaller security staff, increasing awareness among the larger workforce can be enough to make the difference, says Ernie Hayden, a principal at 443 Consulting and former CISO of the Port of Seattle.

“One of the best things an organization can do is take advantage of the entire workforce and make them all part of the security team,” he says. Through training, education and continuous “rifle shot gorilla marketing techniques,” a company can condition employees to be paranoid of e-mail attachments and URLs sent by strangers, or to be more cognizant of any trouble fellow employees may be up to.

Build a better team, be a better boss

To get the most out of existing personnel, it’s important for the decision makers to keep would-be malcontents happy and show as much fairness as possible, says Joseph Guarino, CEO and senior consultant for Boston-based Evolutionary IT, which specializes in security tools and management.

The fields of psychology and management science have revealed the obvious, he says: less hierarchy and more employee empowerment makes for a happier workforce that in turn will be more willing to do what it takes to maintain security.

“Treating your employees like the most important asset you have makes it more likely that they will respond with outstanding results,” he says. “The sting of the stick yields much less than the allure of the carrot.”

Cut with care

A natural target for the budget cutters during a recession is the discretionary spending, whether it’s for those free pastries in the office kitchen or the employee seminars, education and team building programs. When the money supply runs dry, it’s understandable if the free snacks have to go away. But slice too deeply and employee morale will tank, says Richard Parry, head of global security for Novartis Institutes for BioMedical Research in Cambridge, Mass.

Low morale leads to higher employee turnover, and in a recession those who leave are often not replaced.

“While these items can be seen as the low-hanging fruit, focusing too heavily on these types of cuts can lead to loss of morale, which can have longer and more severe effects on the company,” he says. “Not only do you have higher staff turnover in that environment, but you make the company less attractive to prospective employees.”

To help keep morale high and turnover low, Parry tries to ensure that there are still opportunities for the professional development seminars, certification classes, and the like.

Parry also tries to examine roles and responsibilities and parlay times of reduced staffing into opportunities for cross-functional training for existing employees.

“This spreads the work load, and while it doesn’t necessarily reduce the workload for anyone, it provides interesting variations in their daily duties,” he says. “It also ensures that there’s a built-in contingency and succession plan so that the departure of any one individual does not create a single point of failure.”

Keep it simple

For organizations that must make do with a smaller security staff, cutting down on IT complexities and embracing security compliance controls will lesson the chances of a mistake-fueled catastrophe, says Atlanta-based strategic architect James DeLuccia.

DeLuccia offers audit and consulting services for companies trying to comply with such security laws and standards as the Payment Card Industry’s Data Security Standard (PCI DSS). One of the common requirements of regulatory compliance is to reduce complexities and redundancies in the network so data can be better tracked and protected. A side benefit is that fewer complexities means few opportunities for a security failure, especially in an organization where staffing and tech savvy is in short supply.

“Security and technology service the entire business and must reflect the entire business challenge – regulatory and best practices,” he says. “Failure in either case will lose customers, have regulatory enforcement agencies ban the company from operating in a market, cause fines for lack of best practice, and such.”

When staffing is tight, the last thing a company wants is a badly-configured patchwork of legacy systems full of redundant databases and processes, the likes of which he has seen in companies that have been through mergers and acquisitions, he says.

And so his advice is to “remove the froth off network architectures that result from mergers and acquisitions and eliminate the redundancy in situations that occur where people say ‘that is how we always have done it.'”