What I Have Learned - Part 2 Misalignment

What I Have Learned - Part 2 Misalignment

Several years ago I was consulting for one of the major oil and gas companies. They had brought me in to perform response to a major incident, a breach assessment, and several penetration tests including one on their virtualization infrastructure.

Once those projects were complete they asked if I could help diagnose and solve the problems they were having between management and the security team. There was a lot of conflict, morale was low, and management wasn't happy with performance.

I spent nearly a month on sight just talking to people on the security team, shadowing them, understanding what they did and what the environment looked like. They had around 12 people on the team covering something like 100k IP addresses worldwide. After three weeks I realized that the team break down was the following:

  1. Team Leader - Focused on management rather than technical activities. (Which is fine depending on structure)
  2. Senior Advisor - A wonderful gentleman who had a ton of experience, but was getting ready to retire and whose job was mostly to attend meetings and give advice.
  3. Admin - Someone to handle scheduling, documents, purchasing, etc.
  4. 2 DBAs - Managing various databased that were used by the security organization.
  5. 2 Sysadmins - Managing the infrastructure that the team used.
  6. 3 Tool Admins - Managing the security tools that were in use such as Qradar, Symantec, some scanning tools, etc. Not operating them mind you, just keeping them functional.
  7. 1 Junior - Security person who was learning the ropes and just getting started in their career.
  8. 1 Senior Security Analyst - Who was extremely burnt out, disgruntled, and had one foot out the door.

Now structurally there was a very obvious problem. You had one skilled person managing security for 100k devices. Management's perspective was "we have 12 security people, what's the problem?" where as in reality they had about 1/2 a security person.

The next issue I solved with 1 question put slightly different. I asked everyone on the security team:

"What is the purpose for your position and team?"

They each answered very passionately some variation of the same response:

"To protect the organization against breach and data loss."

Seemed reasonable enough. So I went to upper management and asked them the following question:

"What is the purpose for the existence of the security team?"

To which they responded, paraphrased:

"A core of our business is mergers and acquisitions. We buy a lot of companies. As a part of that process there is discovery and due diligence as well as compliance requirements. We need the security team to pump out good metrics and reports that we can use as a part of these purposes, and we don't want them to worry about most of the security issues as long as the metrics and reporting are there. If there is a major damaging breach we will bring in a 3rd party such as yourself to address it."

This was a complete misalignment of purpose and was the core of the reason for the conflict and performance issues. They had never talked about it, each just made an assumption based on their needs and beliefs.

Once I explained the situation to both sides, 90% of the security team resigned and management offered me any amount of money to solve the problem with technology. At that time I was very focused and passionate about hands on tactical security rather than metrics and compliance, and a part of that passion was growing excellent people to perform those tasks and so I declined that request.

The takeaway here is that if there is conflict and performance problems between the executive team and the engineering / security team, it's imperative to do the following:

1.) Communicate - Directly, transparently, and in an out-of-the-box way, meaning not seeing each other as obstacles but rather defining clearly the goal, purpose, and plan for the organization. If there isn't an agreement on this then an amicable restructuring is necessary.

2.) Resource Analysis - Once everyone is clear and aligned on the goal, purpose, and plan, then a very realistic look needs to be taken at the resources required to accomplish that goal. Fairy tale thinking about doing more with less by the executive team is highly destructive. Conversely, the thinking that staffing increases will solve the problem are also often off base. Lean and mean can be the answer assuming its the right mix of skillsets. Certain roles you simply can't do without or understaff and that has to be understood and faced.

3.) Business Decision - You can make a decision to accept risk and focus solely on metrics and compliance, but make sure your team understands and that everyone is clear about the tradeoffs.

Thanks for listening,