Lately, I've been struggling with trying to get resources for my security projects. As my security program continues to grow and develop, I'm at the stage where I'm rolling out new security technologies, but I'm starting to run into roadblocks when it comes to getting server, network and desktop team support. It's ironic: I got the budget I need to buy security technologies, and I bought the products, but they're not installed yet because we don't have people available to do it.
When I first came to this company, I began by building a foundation based on ISO 27001. I wrote security policies and got them underwritten by our senior executives. I developed relationships with our executives and department leadership, to garner their support for my initiatives. Then I set out to improve our security technologies.
This had the desired effect of getting me the organizational support I needed to bump my projects up high enough in the priority list to get the funding I needed to buy security projects, which would otherwise be a real challenge in this economic climate.
So in a sense, I'm a victim of my own success. I've bought a number of products to manage malware, detect intrusions on our network, encrypt our sensitive data and provision (and deprovision) user accounts. These technologies have been selected to address the most critical vulnerabilities in my environment, and they will make a big improvement in our security and compliance capabilities. Now I'm ready to roll out these products.
But our IT department has been whittled down to a skeleton crew. Over the last several months, IT employees have been leaving the company without being replaced. Thanks to the economy, we aren't hiring anyone right now. And we just let all our contractors go. That leaves only a handful of IT staff. And as those people are forced to do the same amount of work with diminishing head count, we are all under an increasing amount of pressure. This has resulted in more employees leaving, and those who are left have their hands full, to say the least.
So here I am with my various implementation projects, unable to get IT resources. I've ended up doing a lot of the work myself, installing and configuring security appliances and software. And I've outsourced a lot of the installations, purchasing professional services along with the equipment and leveraging consultants to get things up and running. But that's not everything that needs to be done. My security products are up and running, but I need various IT systems to be configured to integrate with these new security systems. That's where I have to rely on the server team (to configure the servers to send logs and other information to my devices), the network team (to set up switches and routers to send traffic and information) and the desktop team (to install end-user software).
I'm leveraging the relationships I've established with executive management, along with persuasive analysis and metrics, to get the organizational support I need. But the fact remains that we have barely enough people to keep the lights on, so projects like mine are hard (or impossible) to fit in. I'm going to keep looking for ways to get at least gradual progress. In this economic climate, it looks like that's the best I can do.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.