I’m sure most of us have seen one of the many cartoons recently circulated on LinkedIn. This particular cartoon caught my eye due to its profound message. In the cartoon, two people struggle to move a cart with square wheels. A third person comes along offering round wheels, but is told “No thanks! We are too busy.”
While this cartoon is humorous, it can also teach us an important lesson. I’d like to try and extract one particular lesson I found in this cartoon and apply it to an issue I see repeatedly in the security profession. More specifically, I would like to focus on how this lesson relates to the areas of security operations and incident response.
Security is most definitely a stressful business. Moreover, this stress is often felt most acutely within the security operations and incident response functions. Risks and threats continue to evolve. Budgets don’t grow nearly as quickly as they need to. There is a shortage of qualified personnel, placing additional pressure on management and personnel already in place. The list of demands from the business grows faster than it can be addressed. Technologies struggle to work together to meet operational needs. Logs come in ever more rapidly, exhausting storage and processing resources. Alert fatigue buries the organization, making any hope of timely detection ever more difficult. Technological, procedural, communications, and bureaucratic obstacles complicate incident response.
As anyone who works in security operations and incident response knows, I’ve only just begun to enumerate some of the pain security professionals endure on a daily basis. The list goes on and on. I’ve discussed some of the issues listed above in previous pieces, and I certainly don’t wish to rehash those points here. Nonetheless, it’s fair to say that there is always more to do in security than there are resources available to do it. This sounds like a tough situation, if not a dire one. But I promise you that I wrote this piece for more than merely to enumerate the problems and challenges we face.
It’s all too easy to get caught up in day-to-day activities and to forget to come up for air. How can a responsible security professional take a step back, take a deep breath, and contemplate strategic thoughts when there is so much tactical work to be done? It’s a valid question, but the fundamental assumption of the question is flawed. The tragedy in this way of thinking is that, sometimes, we are too busy to see that the reason we get bogged down is because we need to adjust or improve our processes, approaches, methodologies, techniques, and/or technologies. In other words, our very busyness is the cause of our continuing busyness. Sound counterintuitive? It’s really not. Allow me to elaborate.
Our industry is constantly changing. Techniques evolve. Technologies emerge. Process improves. People learn. Businesses educate themselves. Priorities shift. Risk acceptance fluctuates. Possibilities to streamline, improve, and introduce efficiencies may exist today that did not exist even one or two years ago.
A fresh perspective may provide insight into where and how efficiencies and improvements can be introduced. But where does this fresh perspective come from? It doesn’t come from being buried in day-to-day operational tasks. It most often comes from an effort to find the time to emerge from the day-to-day, at least for a period of time or percentage of time, in order to identify the root cause of the busyness. Yes, there is more work to do than there are resources to do it. But that doesn’t mean that going about the work more efficiently wouldn’t produce better results from a less frantic staff.
Identifying and eliminating bottlenecks and inefficiencies can often result in more work getting done and more value being added, even if the pace of work feels slower. It sounds paradoxical at first, but it’s actually not. Think about it.
I rarely come across a Security Operations Center (SOC), Incident Response Center (IRC), or Cyber Defense Center (CDC) that isn’t struggling to keep up with its work queue. At the same time, I’ve never seen a SOC, IRC, or CDC that wouldn’t benefit from taking a step back and assessing *why* it is overwhelmed. Are there any potential bottlenecks or inefficiencies that process or technology could address? Are there time-consuming tasks being performed that don’t provide much value? Are team members spending a disproportionate amount of time waiting for queries to return or otherwise fighting with the technology that’s supposed to be helping them? These are just a few of the many questions security leaders ought to be asking on a regular basis.
In my view, a swamped SOC, IRC, or CDC presents an opportunity — a wake-up call. That is actually a good thing, provided the organization can seize the opportunity. Being overwhelmed indicates that it is a good use of time to take a step back, assess where time is being spent, evaluate the value of each of those activities, and determine if efficiencies can be introduced. The security operations community is a helpful one — peer organizations and others in the industry are often more than willing to offer some suggestions and helpful advice. The question is more whether an organization and its leadership are self-aware enough to seek advice, receptive to feedback, and prepared to listen and learn. In my experience, it is helpful to learn from the successes — and failures — of others.
I am also reminded of another picture I’ve seen recently on LinkedIn that contains the quote “The most dangerous phase in the language is ‘we’ve always done it this way’.” There is a lot of truth in that.