TechWeb

When Projects Cause Security Failures

Nov 30, 2007 (12:11 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=208802427


3:45 PM -- Prioritizing your security responsibilities can be a challenge when there are many tasks and limited time to complete them. Some of us have such an extreme interest in security that we’d do it day and night if possible, but deadlines, managers, and non-work related priorities like family all influence how we prioritize our tasks.

I'm currently faced with more tasks than usual and have been a bit stuck figuring out what to do first. Someone provided me some guidelines that break it down like this: First focus on prevention and protection, then detection, and finally, everything else. Now that's great advice, but I’m still left juggling operational tasks while trying to make steady progress with my projects.

If you’re a manager, then you know projects need to demonstrate continuous progress, and must be completed on time. That's the de facto mindset for a manager because projects have the most impact on a business’ resources (time and money). But if managers go to the extreme of making projects more important than operational tasks, it can backfire.

Operational tasks are the daily activities that keep an organization running smoothly -- reviewing logs from servers, firewalls, and IDS/IPS, applying the latest security updates, reading security news and mailing lists to find out about the latest threats.

Security managers should understand this and realize that if projects aren’t progressing on schedule, it could be due to an imbalance in operational and project duties. If operational tasks fall to the wayside, a server may go unpatched and end up compromised. Even worse, the compromise could go unnoticed because logs weren’t being reviewed due to time spent on projects that got priority over the day-to-day.

What should you do when you experience such an imbalance? Well, a relationship between a security manager and his or her team requires the same fundamental trait personal relationships need to be successful: communication. Managers should have an open-door policy where their team can come when they feel overwhelmed or are unsure how to prioritize their duties. Security team members must take the initiative to speak honestly with their manager. If communication is a problem, consider finding a new job or new employees.

I’ve been fortunate to be in great working environments with communicative and understanding managers in all of my jobs but one. And that one was enough to show me what I was missing and to know what to look for in my next job. I hope everyone can be so lucky.

Just remember, communication is a two-way street for managers and members of the security team to ensure you're striking the right balance in your workload.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading