Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Too Busy For Round Wheels?

I’m sure most of us have seen one of the many cartoons recently circulated on LinkedIn. This particular cartoon caught my eye due to its profound message. In the cartoon, two people struggle to move a cart with square wheels. A third person comes along offering round wheels, but is told “No thanks! We are too busy.”

I’m sure most of us have seen one of the many cartoons recently circulated on LinkedIn. This particular cartoon caught my eye due to its profound message. In the cartoon, two people struggle to move a cart with square wheels. A third person comes along offering round wheels, but is told “No thanks! We are too busy.”

While this cartoon is humorous, it can also teach us an important lesson. I’d like to try and extract one particular lesson I found in this cartoon and apply it to an issue I see repeatedly in the security profession. More specifically, I would like to focus on how this lesson relates to the areas of security operations and incident response.

Security is most definitely a stressful business. Moreover, this stress is often felt most acutely within the security operations and incident response functions. Risks and threats continue to evolve. Budgets don’t grow nearly as quickly as they need to. There is a shortage of qualified personnel, placing additional pressure on management and personnel already in place. The list of demands from the business grows faster than it can be addressed. Technologies struggle to work together to meet operational needs. Logs come in ever more rapidly, exhausting storage and processing resources. Alert fatigue buries the organization, making any hope of timely detection ever more difficult. Technological, procedural, communications, and bureaucratic obstacles complicate incident response.

As anyone who works in security operations and incident response knows, I’ve only just begun to enumerate some of the pain security professionals endure on a daily basis. The list goes on and on. I’ve discussed some of the issues listed above in previous pieces, and I certainly don’t wish to rehash those points here. Nonetheless, it’s fair to say that there is always more to do in security than there are resources available to do it. This sounds like a tough situation, if not a dire one. But I promise you that I wrote this piece for more than merely to enumerate the problems and challenges we face.

It’s all too easy to get caught up in day-to-day activities and to forget to come up for air. How can a responsible security professional take a step back, take a deep breath, and contemplate strategic thoughts when there is so much tactical work to be done? It’s a valid question, but the fundamental assumption of the question is flawed. The tragedy in this way of thinking is that, sometimes, we are too busy to see that the reason we get bogged down is because we need to adjust or improve our processes, approaches, methodologies, techniques, and/or technologies. In other words, our very busyness is the cause of our continuing busyness. Sound counterintuitive? It’s really not. Allow me to elaborate.

Our industry is constantly changing. Techniques evolve. Technologies emerge. Process improves. People learn. Businesses educate themselves. Priorities shift. Risk acceptance fluctuates. Possibilities to streamline, improve, and introduce efficiencies may exist today that did not exist even one or two years ago.

A fresh perspective may provide insight into where and how efficiencies and improvements can be introduced. But where does this fresh perspective come from? It doesn’t come from being buried in day-to-day operational tasks. It most often comes from an effort to find the time to emerge from the day-to-day, at least for a period of time or percentage of time, in order to identify the root cause of the busyness. Yes, there is more work to do than there are resources to do it. But that doesn’t mean that going about the work more efficiently wouldn’t produce better results from a less frantic staff.

Identifying and eliminating bottlenecks and inefficiencies can often result in more work getting done and more value being added, even if the pace of work feels slower. It sounds paradoxical at first, but it’s actually not. Think about it.

Advertisement. Scroll to continue reading.

I rarely come across a Security Operations Center (SOC), Incident Response Center (IRC), or Cyber Defense Center (CDC) that isn’t struggling to keep up with its work queue. At the same time, I’ve never seen a SOC, IRC, or CDC that wouldn’t benefit from taking a step back and assessing *why* it is overwhelmed. Are there any potential bottlenecks or inefficiencies that process or technology could address? Are there time-consuming tasks being performed that don’t provide much value? Are team members spending a disproportionate amount of time waiting for queries to return or otherwise fighting with the technology that’s supposed to be helping them? These are just a few of the many questions security leaders ought to be asking on a regular basis.

In my view, a swamped SOC, IRC, or CDC presents an opportunity — a wake-up call. That is actually a good thing, provided the organization can seize the opportunity. Being overwhelmed indicates that it is a good use of time to take a step back, assess where time is being spent, evaluate the value of each of those activities, and determine if efficiencies can be introduced. The security operations community is a helpful one — peer organizations and others in the industry are often more than willing to offer some suggestions and helpful advice. The question is more whether an organization and its leadership are self-aware enough to seek advice, receptive to feedback, and prepared to listen and learn. In my experience, it is helpful to learn from the successes — and failures — of others.

I am also reminded of another picture I’ve seen recently on LinkedIn that contains the quote “The most dangerous phase in the language is ‘we’ve always done it this way’.” There is a lot of truth in that.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem