The Part-Time CSO

Physicists tell us that time is not constant. Interesting as that may be for physicists, it’s also a concept that the rest of us can get behind once we put a little bit of a different spin on it.

I’m not suggesting that we should all get out our lab coats and play make-believe cosmologist. Instead, I’m suggesting that we put the scientific implications of the statement aside and (through strategic misinterpretation) look to what it might say about how we view time in the workplace. Many of us tend to assume that every hour we pour into our jobs (or particular tasks within our jobs) is equal. But really, that’s not true. Instead, the time that we invest yields different returns depending on context. Let me illustrate what I mean by example.

Diminishing Returns

Imagine a hypothetical employee who works exactly one hour per week. How productive will that employee be during that one hour they spend working? They have to get situated, catch up on where they were from last week, get “in gear” to work — by the time they get started, the hour’s almost up. So that hour isn’t very productive.

Now, say they work 16 hours a day, Monday through Friday. How productive are they likely to be then? Overall, they’re likely to get quite a bit done. But, on average — within any given hour — their productivity is also low. For the overworked employee, burnout and fatigue eat away at productivity so that the last hours they work are their least productive. This pulls down the average for the more productive hours they spent earlier in the week. Once they reach a certain threshold, their per-hour efficiency goes down.

Somewhere in the middle between these two extremes is the sweet spot: an amount of time that is neither too long nor too short, a time where each hour they spend is at maximum productivity. There’s a whole science to figuring out where the sweet spot is, but suffice it to say that figuring out how to get stuff done efficiently is not as easy as the Gantt charts would have us believe. Just like everything else, the time we invest is a function of context. Everything — from what else is on our plate, to our levels of skill and training, to our personal lives — all plays a role in how efficient we’ll be at any given task. When it comes right down to it, every hour is not created equal.

A Part-Time Role

While having a full-time CSO is almost a given among large organizations, in the small-to-medium-sized business (SMB), the opposite is more often true. In other words, in the SMB (more often than not), the information security function is usually divided up. In smaller shops, the security function might be a part-time responsibility of one person. In a medium-size shop, the security role might be handled by a committee of multiple stakeholders — all with full-time responsibilities elsewhere in the organization.

Now, I’m not saying that this is a bad approach — in many SMBs, it’s the only approach. For example, the SMB that can’t afford to maintain a dedicated security officer doesn’t really have a choice but to split it up (unless they ignore the topic entirely). On the other hand, even among organizations that can afford a full-time security pro might decide to split it up anyway. They might decide that a collaborative approach — one where various stakeholders from across the firm have an opportunity to contribute — is better for the long-term health of the organization. These are all perfectly valid reasons for splitting up the information security role.

The problem comes in, though, when we remember that the Gantt chart is not practical reality — changes in context can detract from the ability of individuals to concentrate effectively on all of the things on their plate. If we make information security a part of someone’s job, it stands to reason that shifting priorities can leave information security on the back burner while fires get put out and while other tasks are attended to. This situation tends to get worse as time goes by because it’s hard for security to compete effectively with other tasks that folks might be working on.

The truth is that everybody’s overworked nowadays, and in many cases it’s harder to show the value of a security-related task compared to other tasks. Deploy a new application, your users think you’re a hero; deploy a new security control, they might not even notice. I know which one I’d pick if I had to choose between those two.

Clearing Space and Staying Focused

So what do we do? How do we in the SMB make sure — even though circumstances might require that we split out job roles — that we leave our information security bases covered no matter what comes up? How can we make sure that our staff members — no matter what else they have on their plates — spend enough time on information security tasks to keep moving those goals forward? In truth, there’s nothing that we can’t solve with a bit of planning. Like Hank Hill would say, “If you plan ahead, then when things happen, you’re prepared.”

The first and probably most effective thing you can do to address this is to over-budget the amount of time and energy that part-time information security activities will require and give your employees that much additional time to work within. This sounds easy, but it really isn’t. Consider how this would play out in real life: A network or IT manager with a full schedule gets security dropped into his lap. No matter how much time you think the security aspect will take, it’s more than he is spending on it now, and there are the same number of hours in the day.

The trick, then, is to free up time from the other parts of this person’s job and invest that time into doing security activities while simultaneously maintaining focus over the long-term. Freeing up this manager’s time can be done either through the allocation of additional resources to help in other areas of responsibility or through additional automation to reduce the number of cycles he spends on other things.

For example, if a network manager spends a good chunk of his day putting out fires — say related to connectivity and performance issues — one strategy would be to given him access to a dedicated resource for handling that or to invest in networking technologies that reduce the administrative overhead. Freeing up time in this way makes sure that he has the space he needs to stay focused on information security. Now that he has the time to invest in these activities, set up a forum to help everyone stay focused on information security over the long term. Setting up, for example, a quarterly management security forum will help make sure that the folks tasked with day-to-day security management keep their eyes on the ball.

Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels