Organizations commonly rely on internal resources to serve on project teams for implementations, usually with the following expectations; 50 percent of the team members' time will be dedicated to the project, 50 percent of their time will be devoted to their “day to day” responsibilities, and somehow an additional 25-50 percent of their time will be used to address any issues, outages and any other initiatives that may be underway. This over-use of resources and expectations for staffs to absorb the added responsibilities and workloads can result in a highly frustrated workforce that may be driven to pursue career opportunities outside of the organization. Such an exodus could leave an organization with a significant loss of institutional knowledge, and create a void that could be detrimental to not only the successful implementation of the project, but also negatively affect day-to-day operations.
In many cases, the people who are faced with absorbing these additional duties are very hesitant to raise, or in some instances re-raise, their concerns to management about the need for more resources. In the current economic climate, many teams and organizations are dealing with the same challenges of attempting to do more with less. Many of the teams that Neohapsis has had an opportunity to interact with have shared that they have raised their concerns with their managers or supervisors in the past only to have the discussion not make its way to the appropriate leadership levels within the organization. Others have held these discussions with management in the past with less than favorable responses.
However, readdressing this issue in the context of a project's requirements tends to net a more positive response by management, and in some cases provide some additional validity to these requests.
I believe it is important to identify and communicate the appropriate staffing requirements, such as backfill or staff augmentation, to management so that any associated expenses can be identified and included as part of the budgeting process. If an organization is going to commit the financial resources to a project to meet a regulatory or business compliance requirement, they are usually willing to provide the necessary resources to achieve the goal, providing they have been made aware of the requirements, and they are supported with sound justifications. It is best to begin setting these expectations during the project planning stages.
Lack of planning for support beyond the project phase
Once the implementation has been completed and the objectives of the information security project have been met, organizations are not accounting for ongoing support or management, and the specific skill set required supporting a newly implemented environment or solution. While your organization may be able to “check the boxes,” or report that it has achieved some level of compliance for a given timeframe, there is typically a recurring requirement of management, attestation or re-certification. Some organizations believe that once they implemented a solution, established a program, or taken the necessary steps to remediate any deficiencies that may have been identified, that this one-time effort and expenditure should address any future requirements for compliance or validation. They do not take into account that there will be resource requirements for management and administration and recurring expenses beyond the first year. In many cases, when the resources allocated to a project are rolling off to resume their previous responsibilities or, in the case of third-parties contractors, preparing to depart to their next engagement, there is the potential to leave behind a void in service and support.
The activities performed by the project team members on an interim basis, in some form need to continue and eventually become part of normal operations. This is an area that is usually overlooked. The challenge then becomes going back to management to ask for approval for the appropriate security resources to support a new environment. For the organizations that do not have in-house security professionals, this means either the addition of headcount with IT security expertise, or providing IT security training curriculum and support to individual(s) that are currently part of the IT organization. Organizations have also considered outsourcing or augmenting staff to meet this requirement.
The issue with providing training to existing staff members is that, in most cases, the necessary level of support and learning curve needed to be effective in the newly added roles are not available. There is no substitute for actual work experience. Also, there is an expectation that the newly trained individual will usually need to maintain some or all of their current job responsibilities with the addition of the support of an environment for which they have been recently trained.
I have had the opportunity to address this topic with several organizations and have discovered that if the leadership is made aware of the resource requirements, along with some sort of justification, they are more likely to at least entertain the discussion, which in some case is half the battle. I realized that there are cases where doing more with less is still the outcome no matter how proactive you may be in communicating your requirements. That is becoming more the exception than the rule.
So, as takeaway, be sure to communicate the following to management as early as possible: Post go-live support needs as part of the project requirements, and make sure that management understands these resource requirements as quickly as they can be identified.