Avoid the Security Operations rut with Strategic Planning
The end of December can be a tremendously productive time of year for teams. With customers and coworkers beginning to take time off, the demands on time begin to decline and an opportunity to catch up, or get a headstart on the New Year, presents itself. Potentially 60-80 hours, uninterrupted ...you are probably asking yourself this morning, where did all of that time go?
If you are like a lot of people, the shift from crunch time to excess was swift and, if you weren't prepared, you probably find yourself settling back into the ebbs and flows of the previous year you swore to be off. Heck, we didn't post this blog two weeks ago because we know catching your breath is sometimes much more realistic than getting caught up or even ahead.
But it is ok! The "free-time" may not be there, but the motivation still is. That resolutive drive to do something differently. It takes a bit of self-discipline but unlocking the door to security assurance and getting away from purely reactive operations is just a few proactive steps away.
Set A Clear Goal
Throughout the year, various urgent and timely situations, even if they aren't critical, are going to eat away at your day. Hours are going to be drawn from your schedule each week from meetings, responding to emails, chasing false positive alerts and patching holes. It's not that these things don't have a place, but time spent reacting is always going to take away from getting your security operations onto a proactive foot.
So before you move into desktop support, patching bugs or whatever other additional duties you cover in addition to SecOps, outline key events that are coming up. Maybe it's a compliance recertification? Or a migration to G-suite. Whatever it is, when you identify specific, time-bound milestones, it is far more likely that you will take the right steps to achieve them.
Create your objectives – OKRs, GOSPA, etc.
After you've identified where you need to be and when, create actionable objectives. Doing security operations 'better' or being 'more' proactive isn't going to get you there because it isn't specific enough. You have to be able to carve out specific time for shifting to a DevSecOps culture or assessing your environments existing but maybe not [yet] hemorrhaging vulnerabilities.
The strategic planning process is extremely valuable for keeping what is going to matter in a couple months top of mind when it doesn't seem to matter right now. That said, I'm going to admit that this part of getting your security operations primed is actually a lot harder than it sounds. Why?
It's because planning doesn't possess the same level of immediate satisfaction as just doing. But it is important to remember that doing without planning is a recipe for being in the exact same place a year from now and wondering where all of the time went. That is definitely not a win. So plan.
Briefly, as you get into the planning process, don't get hung up on the hyper-specifics. Directional works and will likely be a tremendous improvement on the current state of things.
Take stock, identify gaps and outline your steps
Alright. This all feels good and motivational, but what is an actionable next step. Before we get there, I want to address an important disclaimer.
It may sound more intuitive to set goals based on the inventory you've done but, and I have seen this firsthand, this is a recipe for mediocrity. It is easier to not aspire then it is to challenge yourself to do something truly impactful when the resources don't seem to exist. I'm not saying it isn't important to level-set, but you should level-set after you identify where you want to go, long term versus short-term.
Back to actionable steps. Get a clear understanding of where your organizations security operations are. What lapses exist? Is your asset inventory or employee onboarding process up to date? Where are you just getting by [or lucky]? It is critical to have a clear understanding of your current picture to know how far you are from achieving your end all goals and what steps need to be taken. Again, we don't want to sacrifice an aspirational future because of the current state, but we can't ignore it either.
Dedicate Time, but be realistic
Proactive planning and action is always going to take a back seat to urgent matters. There really is no getting around that and in a lot of cases that is the right thing. But the effort still needs to be invested if you are going to meet your goals or time-bound events without having to put in nights and weekends. So you need to find the time.
To do that, think about your normal day and identify those peak hours for reactive demands or meetings. Avoid any overlap with those hours when you schedule your proactive tasks. If i can speak frankly, you are just fooling yourself if you think you can cold turkey change your reactiveness to day to day demands.
This may mean holding off on a jump straight into Slack or email when you first get into the office to put half an hour into ensuring your asset inventory is up to date or ensure no new vulnerabilities have arisen. It's ok. The needs for your time are still going to be there. Just pretend you came in a half-hour later.
Dedicating time to this may not feel very good now, since the outcome is set so far in the future, but it is critical to getting ahead of your security operations and achieving your goals for 2019.
Bring in an ally
Accountability is a magical thing. We as people do even greater things when we are in a group. So even if you are a security team of one, having someone else in the organization onboard with where you are trying to go with the organizations SecOps and the challenges that exists significantly increases the likelihood that you are going to stick with it.
On top of that, looping in others around the organization will make your job easier. I've witnessed firsthand how being up to speed on an IT team's GDPR initiatives consciously impacted my own day to day operations in a way to minimize the strain on them. The same can happen for you.
When you work in a tight-knit organization, people tend to look out for each other. Use that to your advantage by looping other teams and leaders into where you are trying to take security operations. You'll find far fewer requests occur that require your reaction and more time will open up to make progress on your security goals.
Starting on the path to transformative security operations and a simplified path to compliance is as easy as these steps. Even if they are incremental, you will wind up in a far better place than last year. Better yet, these steps are all in your control.
So leverage your renewed motivation, and that of those around you, to overhaul your SecOps for the New Year.
Cheers and Happy Security.