An InfoSec Holiday Survival Guide
The end of the year is one of the riskiest times for information security. Attack levels rise right at the time IT staff attendance typically takes a dip. Adjusting to this critical period isn't easy, but collecting the right information now can help you take a better course of action when this season rolls around next year.
12/14/11 5:00 AM PT
It's December again, and it's a challenging time for information security organizations. It's challenging because while attacks become more prevalent during the holiday season in the form of spam and targeted malware, organizational security "readiness" paradoxically wanes at exactly the same time.
This happens for a few reasons -- both because it's one of the lowest points of the year for staff attendance, the other low point being mid-summer, and also because most of the annual budget is already spent or otherwise earmarked. So while certain types of attacks are at a high, operational security activities like ongoing monitoring and incident response can take a hit, particularly if they're dependent on time investment from staff members.
So for security organizations, the question becomes, how do we adjust? If we do nothing and let the situation unfold organically, we're likely to get utilization drop-off across the board -- a situation that exposes the organization to risk, because not all security activities are equally critical. But how can we offset the utilization drop-offs in one area to keep critical operational controls at peak operation in others?
It's not a question that has an easy answer. But fortunately there are a few things that organizations can do to make planning easier. There are three pieces of data you need to do intelligent planning:
- Resource effort to support tasks
- Drop-off during the holiday cycle
- Criticality of tasks
Obviously, given where we are in the year, there's probably not enough time to draw up a robust plan for this year's December drop-off. However, keeping an eye open and keeping track of information from this year makes planning possible for the next cycle. Meaning: Even though it might take a year to pay off, laying the foundation for a plan this year could very well mean the pain you're going through right now is the last time you'll experience it.
How Does Your Staff Spend Its Time?In an ideal world, security managers would have a task-by-task awareness of which staff members do which tasks and how long it takes to complete each one. This data would allow security managers to plan, to manage resources so that they can prioritize critical operational security activities, like monitoring security alerts, and deprioritize less-critical activities, like installing that new fancy GRC tool.
Rarely is this the normative situation, however.
Existing time-keeping systems spring to mind as a way to get this information. In practice though, they're seldom useful for that purposes. This is the case because, in many cases, when they're asked to track time at all, employees report time in a fashion that's more an exercise in "gaming" the system vs. reflecting actual utilization. Consider, for example, resource-tracking systems that enforce non-realistic rules ("employees must report exactly 40 hours") or systems that employees view as having punitive repercussions ("what you report here drives your bonus"). These systems are likely to receive "creative" input rather than actual, useful data.
If your organization is one of the lucky few that has accurate time reporting in a manner that facilitates planning, leveraging that data for this purpose is a no-brainer. Assuming that utilization tracking information isn't available or reliable, the goal for an organization seeking to plan intelligently is to figure out a method to track staff utilization on critical security tasks. Asking them to report time to the last hour over/above what they do now isn't likely to win fans, so asking staff to supply rough estimates can be "good enough" for ballpark planning.
Understanding Holiday Drop-off
In addition to knowing how security staff spend their time, the second factor under consideration is to understand by what degree security-driving activities drop off during the holiday downtime. Because activity in the broader organization as a whole drives security work (for example, review of new initiatives, patching, other controls), some portion of the overall security work will drop off as well. The time to record this information is during this year's downtime event.
Meaning, if your organization has reliable metrics, leverage them to understand how security-relevant events increase or decrease during the end of the December holiday period -- the two weeks at the end of December leading up to the end of the year. Even if your organization isn't one that normally keeps track of security metrics, let this time period be the exception. Even though a full-on metrics program may not be something you have the time or budget to take on, at the very least collect metrics about incident activity during this time period this year.
The goal is to get a baseline for how many security activity drivers are likely to be experienced during the time period. This will let you plan accordingly next year when the time comes to prioritize resources for the next cycle.
Lastly, it's important to gain a rough understanding of the criticality of various security tasks. A full-blown prioritization of security tasks is challenging because prioritizing based on varying degrees of "critical" can be a stumbling block. For example, when the time comes to choose how to allocate resources between monitoring IDS and monitoring logs, which is more important?
Fortunately, for the purposes of our holiday planning, we don't have to prioritize each and every security task to a high degree of precision and granularity. Instead, the goal for us is merely to sort tasks into two groups: "can be postponed for two weeks" and "cannot be postponed for two weeks." Asking staff to provide feedback on which of the tasks they do that cannot be postponed is a useful approach, just as it is with utilization. This will help you in finding out which of the tasks fall into the "required time investment" group for holiday planning. Think of it as a sort of a "mini-BIA," limited in scope just to security activities and processes.
Once you have these this data collected, you've got a whole year to put the three pieces of information together: Use the information and metrics gathered from your analysis of the holiday drop-off to project what the security task workload will look like next year. Use the information about what staff does what and how long it takes to fill in appropriate personnel and to keep critical activities staffed.