39% of IT leaders fear major incident due to excessive workloads – Source: www.csoonline.com

Enterprise security operations teams find themselves stretched thin and contending with an escalating cyber threat landscape today. Many are understaffed and underfunded, leaving CISOs on edge about the consequences for the enterprise — and their careers.

A recent survey from Adaptavist about fallout from last summer’s CrowdStrike outage found that two out of five (39%) IT leaders “warn that excessive workloads” could lead to a major incident for their companies. “The ongoing war for IT talent is likely exacerbating these issues,” the survey’s writers concluded.

John Price, CEO at Cleveland-based security firm SubRosa, underscored the reality many CISOs and their teams currently face.

“The sheer volume of alerts, coupled with the complexity of modern attack surfaces, has created a near-constant state of overwhelm for many security professionals,” he said. “We are operating still in a reactive security mindset. In some cases, a successful cyberattack can be the driving force behind getting the budget you need.”

Cutting (and delegating) workload bloat

Given this situation, security specialists encourage CISOs to consider new ways of engaging their overstretched teams — and helping them keep sharp.

One of the most effective ways to minimize security risk when working with suboptimal resources and people is to “strictly triage what your team is doing,” said Jim Boehm, an expert partner at consulting firm McKinsey. 

“This would amount to robust demand management,” Boehm said, suggesting that team tasks that could be discarded could include architecture board review meetings and “chasing things for an internal audit.”

“Why have four or five people in an hour-long [review] meeting where they are just going to argue?” Boehm asked. “I would rather them review the security posture of a potential acquisition. It’s all about taking a risk-based look at everything, not just your assets and controls but what your people are doing.”

Boehm also suggested embracing the LOB dual-embedding mechanisms within DevSecOps. Ideally, that could help reduce security issues by training non-security colleagues in security thinking. 

“Developers, for example, hate to be considered engineers. They hate constriction. They want to be artists [and deliver] no documentation,” Boehm said. 

The argument to those developers, Boehm said, would be, “‘If you adopt this, the security team will bother you less. If you run clean for six months, we’ll even remove the need for a security threat review team.’ You’re effectively turning those developers into pseudo-security people. If I can teach them how to do that, then I only have to do that once.”

Such training will also deliver meaningful business ROI for those developers, he said. The developers’ “output goes up, their time-to-market goes up. That is a powerful incentive.”

Building a better bench — and keeping staff sharp

Jess Burn, a principal analyst at Forrester, said CISOs sometimes must go against the grain — for example, insisting that vacation days are taken even when vacancies make the security team especially small. But to do so they have to get strategic about team structure, she added.

“You have to encourage your key personnel to take time off, and the only way to do that is to make sure that you’ve cross-trained other people to step in. You need to be creating a bench, especially when it comes to your incident responders,” Burn said. “You can’t have your core group of three or four folks have a breach or an incident and then expect them to work 18 to 20 hours and throw pizza at them to keep them going. You need to make sure that you have good people to step in.”

The team’s size can shrink for various reasons, which is why Burn argues that duplicative backup roles are essential.

“It’s just a good practice overall to create a bench for all of your critical roles in your organization because you will inevitably lose people to either burnout or retirement or just a better offer from somewhere else,” Burn said. “So you should be thinking about things like succession planning and showing people that there is a path for advancement within your own organization, which again helps with retention and alleviates burnout because they’re seeing the value that you’re placing on them as an individual contributor.”

Kayne McGladrey, an IEEE senior member and field CISO at Hyperproof.io, highlighted the importance of taking steps to maintain morale when resources are thin or workloads are becoming untenable.

“Overwhelmed employees may become discouraged, leading to security nihilism, where they feel that breaches are inevitable and give up on maintaining security measures,” McGladrey said. “This can result in a lack of communication about potential threats, making it harder for security teams to respond effectively.”

He continued: “CISOs can help address excessive workloads by implementing regular check-ins with employees to understand their feelings and interests, which can help in redistributing tasks and [boosting] job satisfaction. They can also encourage skill expansion by allowing team members to learn new skills and get a break from routine tasks. And providing access to mental health resources, such as meditation apps or online therapy, can support the well-being of the team and mitigate the effects of excessive workloads.”

Failing to do so can put security teams in a doubly vulnerable position, as many attackers seek to create a sense of siege to overwhelm and confuse them, said Tanium CIO Erik Gaston.

“Managing excessive workloads can be a big challenge for today’s security teams, especially when attackers overwhelm them with excessive noise, disrupting their ability to effectively monitor, detect, and respond to real threats,” he said. “By generating large volumes of false positives and artificial noise in vulnerability management systems and SIEM platforms, attackers have a viable way to confuse cyber teams with the intention of masking the actual or underlying malicious attack.”

Gaston said the most common such tactics he has observed includes “flooding systems with what would be considered low-risk actions” and “sending large volumes of harmless but potentially suspicious looking payloads through systems resembling real attack vectors. They can come in the form of brute force, DDoS, fake lateral movement, data exfiltration, and tunneling, among other things.”