• United States




Why desensitization is ruining your security strategy (part 1)

Nov 02, 20154 mins
CSO and CISOCyberattacksData Breach

Overwhelmed, overloaded, and understaffed information security teams are ruining your cyber security strategy.

office worker overwhelmed with data 87777180
Credit: Thinkstock

The booms rustled me from my sleep, and the resulting shockwaves communicated something bad was happening. I immediately sat up in bed, conducted a quick self-assessment, and made sure my CHU (containerized housing unit) mate, and I were not injured. My second combat tour in Iraq and rarely did bombings or mortar attacks disturb me any longer. They had become a fact of life and when they happened (not if they happened) if you were alive at the end you only continued operations; it was just another day at the office.

This particular incident seemed unusually disturbing and subsequently I got up out of bed and decided to see if my F.O.B. (Forward Operating Base) had been hit. After a quick perusal outside I determined that everything was OK and went back to sleep. All this happened in a matter of fact manner that suggested I had become desensitized to the realities of war.

I believe the same is true of our information security personnel. The realities of cyber attack (when not if) coupled with understaffed information security departments, and sensory overload of our staff are contributing factors. Each of these factors contributes to what I call the groundhog day mindset. In other words, we spend our time going through the motions because we have given up hope that we can make a substantive impact. Not that we don’t want to, but we are overwhelmed and overworked; we have defaulted into survival mode.

Once we have entered into survival mode only the most evident and extreme events, awaken us from our malaise. By this time the attacker has been within our systems, an average of six months and has begun exfiltrating data from our systems. Desensitization could cost U.S. companies on average $6.5 million. The writing on the wall is crystal clear. Our security strategies have to address the problems that overwhelm our teams and lead to desensitization.

Problem 1: The staffing shortage

According to a 2014 study published by Ponemon 70 percent of respondents said their information security department was understaffed. The study also indicates 40 percent of IT security jobs will remain unfilled in 2015 alone with 49 percent of supervisory roles. Overall the headcount within our security department is steadily increasing but demand still far exceeds supply.


Information security leaders need to start looking within their ranks to grow security professionals. Recently, I listened to a CISO discuss how his accounting firm overcame these challenges. They sought out accountants with an aptitude for information security and provided them with training. The program has experienced outstanding results. After all, who understands our businesses better than the professionals within the organization. If you want to strengthen your security strategy, seek talent from within and provide training.

Problem 2: Biting off more than we can chew

Our enterprise infrastructures did not become insecure overnight. In all likelihood, it happened over a period of years. Our insecurity built up over time and very likely has only come to light in the recent past. Our IT staffs are often very competent but without security professionals who understand the unique business processes of the organization (and who can communicate with business executives) it is hard to implement adequate controls. Subsequently, we often prioritize operations and relegate security to the back burner. Now we have discovered the error of our ways and we’re in a hurry to secure our networks.


Our networks are insecure because of choices we made (or didn’t make) over a period. Likewise, it will take time to nurse our security posture back to health. It will require a concerted effort from all stakeholders within the organization, and the project must be championed by senior executives. To avoid overwhelming our staffs we need to break down our project into smaller projects. The Center for Internet Security’s 20 Critical Security Controls offers a prioritized method for slowly but surely securing our networks.

The role of talent management cannot be underestimated. We have only begun to scratch the surface and dive down into one of the most critical issues affecting the security of our enterprises, desensitization. Please join me over the next six weeks as we dive deeper into this issue and learn how we can solve this nagging problem.


TJ Trent is an expert in organizational compliance and governance for organizations in the cyber universe. His focus is on people, processes, and systems, which provides the foundation for understanding the true place of technology in the cyber world.

TJ works fiercely and passionately to prevent, detect, and eradicate cyber threats. ​During his 13 year career he has witnessed the information technology field burgeon into a powerhouse industry intertwined ​with the fabric of our lives. ​As the lines have blurred between technology and our lives, cyber security and cyber awareness are at the forefront of media attention. The last two years we have been inundated with breach after breach. From healthcare and banking violations to our most sensitive and private photographs. It seems like nothing is safe anymore.​

A super high achiever dedicated to learning and continually improving. TJ has been able to rise to the elite levels of success in his career. With over nine years of leadership experience, TJ has helped many organizations and individuals reach milestones within their careers. As a result, he is also uniquely suited to help you turbo charge your career within the information technology field.

TJ's credentials include a Bachelors of Science-Information Systems Security, Certified Information Systems Security Professional, GIAC Security Essentials (SANS 401), GIAC Certified Enterprise Defender (SANS 501), GIAC Certified Incident Handler (SANS 504), GIAC Certified Intrusion Analyst (SANS 503), GIAC Certified Forensic Examiner (SANS 408), GIAC Certified Critical Controls (SANS 566), and GIAC Certified Network Systems Auditor (AUD 507). TJ will complete his Masters of Business Administration-Technology Management in February 2016.

The opinions expressed in this blog are those of TJ Trent and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.