How Security Teams Can Learn to Advocate for Resources

Last updated at Thu, 11 Jan 2018 14:50:37 GMT

It’s no secret that security teams today are severely resource-constrained and busier than ever.  As your days get longer, the work becomes more complex, and you begin to burn out, you need to be able to advocate for more resources — whether that be for new hires, more tools, or both.

Resources equal money, and your security organization isn’t the only one vying for the company’s wallet. At the same time, the marketing team may be proposing to host a user conference and the sales team may need to hire a VP. Both of these examples (and there are many more) impact the bottom line. So, the key to getting more security resources is to be able to demonstrate how you can improve the bottom line, too.

In this post, we’ll walk you through how to do this.

Explain the Buisness Need

You, your boss, and perhaps even your boss’ boss will need to relay the business benefits of what your security team needs before it can be considered in the budget. Perhaps it’s two new hires in the next quarter, an incident management tool, or coding resources to build custom functionality. At the end of the day, the decision-maker needs to understand how a certain expense or resource allocation will either save the business money or bring in new revenue.

Your executive team needs to understand that security is no longer just a cost of doing business; if you invest wisely in it, security can attract new customers, prevent customer data loss, and keep your business safe from the next big attack. So how do you pitch it in this way?

First, you need to explain what pain point your team is experiencing. Let’s say your business is experiencing an increasing number of threats, and currently there is no automated way to deal with them all. As a result, your team of five is spending two more hours each day sifting through alerts, leaving far less time to respond to them. This is putting the entire business at risk, because they simply can’t keep up with the volume of alerts.

With an imminent breach on the horizon, you could risk losing customers. But if you’re properly armed with tools and manpower to catch threats, that possibility is greatly reduced. Linking the broader business need to your security need will go a long way towards getting it approved and your team back on track.

Propose Your Solution & Justify It

Next, explain your solution to the problem. Let’s say you want to propose bringing in a new intrusion detection system, which can detect and investigate alerts automatically.  This would relieve your team from tedious, manual work, leaving more time to investigate and respond to the threats that are real and high-priority. This would allow you to catch potentially damaging threats before they ever make it to production or in front of a customer, safeguarding your business, your customers, and your reputation.

You’ll also want to explain in detail why this tool is better than what is currently in place (if anything). If the IDS, for example, would be replacing a manual process, explain how many man-hours and potential new hires this could save (more on that in a moment). If it’s designed to catch zero-day threats, whereas your current solution isn’t, explain that.

Whatever the benefits, make them crystal clear, so that everyone can see how the expenditure will both increase the productivity of your team and benefit the entire business.

Show the ROI

Now, for the question every executive wants to know: “What is the ROI for this?” While it may not seem like an easy number to calculate, it’s worth spending the time to quantify the difference a security line-item will make, and it will certainly make it easier to advocate for resources. Here are a few major ways that the value of security tools and resources can be quantified:
Efficiency
If the tool or resource you’re requesting will allow your team to get more done faster, or decrease your time to response for potentially dangerous threats, there is huge ROI in that. Calculate how much time will be saved and how much more you can get done, by investing in this resource. Perhaps you’re looking to bring in an automation and orchestration tool to better tie in your people, processes, and tools so you can extract the maximum value from them. List out what time-consuming tasks your team will no longer have to do, what will be automated and orchestrated, and how much time that will save each team member so they can focus on higher priority tasks like decreasing time-to-response.

Reduce the Need to Hire
Every security team is feeling the pain of the security talent gap. If there are not enough people to go around, we need tools to help get the job done. So, if you have a job req open for a security analyst to search through and investigate alerts all day, and you find a tool that can do it instead, that can easily save your company from a long and expensive hiring process, which may not even result in a successful hire anytime soon. This can open up budget for a more critical or strategic hire, or simply to invest in other areas of either the security organization or the business itself.

Extract More Value Out of the Team
Anything that can help your hard-won talent bring more value to the table is a win. Security talent is not cheap these days, so if you can find a way to relieve them from low-level tasks, like alert escalations, alert investigations, or user provisioning and deprovisioning, they can focus on much bigger-picture issues like staying on top of vulnerability patching and security training. Automation and orchestration are two popular ways teams do this, as they allow the entire security organization to get more done, while elevating the focus and benefit from each employee.

It can help to provide a cost/benefit analysis to visualize the benefits for the executive team, especially if what you’re asking for is a big-ticket item. Lay out what the current costs are compared to the cost of the new solution, as well as any other money or time that can be saved. You can grab an easy-to-use framework for this in our ROI eBook.

Have a Team of Advocates

Lastly, communicate with the people on your team who experience the same pain points you do, and who would be positively impacted by bringing in whatever new resource it is you need. This could be fellow security engineers and analysts who are burnt out from alert fatigue or the support team who is finding it difficult to resolve customer issues because of security bugs that can’t get fixed because of a lack of resources.

Talk to them about the pain points they’re experiencing, explain the benefits of your proposed solution, and ask for their support. While you may not need to bring them into the discussion right away, it’s good idea to have support from your team so that if your proposal needs backup, you will have advocates who are happy to speak up about it as well.

Request Security Resources with Confidence

At the end of the day, security is as much a part of the business as any other function, so in order to get things done, you need to be comfortable speaking up when you need budget, tools, and/or more manpower. Using the framework laid out in this post, you’ll be better prepared to have these conversations and increase the odds that your requests are approved and your team can better protect the organization.

Grab a copy of our free whitepaper The ROI of Security Orchestration and Automation.