One of the many paradoxes of security is that when you have invested appropriately (sometimes at significant expense) and you have less and less incidents, then some time later, someone somewhere might ask: “Why are we spending so much on security when we don’t have any issues?” 

If this becomes an accepted view then cuts happen, upgrades and maintenance don’t get incrementally funded, or investments to mitigate new risks are not made. You know what comes next, slowly but surely cracks appear and controls degrade. Then, either in one big “boom”, or the slow death by a thousand cuts, incidents increase. 

There is also a less dramatic and perhaps more insidious pattern which goes like this:

1. There’s a security issue identified from a risk assessment or other process.
   

2. There are funds obtained / resources allocated to “fix” the issue.
   

3. Everyone works hard to get to a good place. 
   

4. Things are ok for a while, quarters or more likely years. Sometimes a decade.  
   

5. People then forget there was ever a problem in the first place.
   

6. Resources then get slowly stripped away. People who understand the need for the control are likely wary of Chesterton’s Fence but they still pluck a person at a time from the team that sustains the control, or load those people up with slices of other work. 
   

7. Before you know it, the team that might have been, say, 10 people with a range of expertise and experience is now 2 junior people doing their best to keep things going. No one actually took the decision to go from 10 to 2 but that’s what the effect is over a series of smaller, often implicit, decisions.
   

8. Then failure comes. In a high pressure environment where the control(s) are a key part of your defense in depth - or even sole defense - that failure might come surprisingly quickly after a tipping point is reached. 

Worse, these factors can come together in a particularly harmful way where a small drop off in security funding can have an exponential reduction in control effectiveness. Whereas, a small continued incremental “inflationary” increase or even flat sustainment of funding can assure risk mitigation. Even security stasis needs investment (perhaps not incremental) because the surrounding environment is constantly changing and adding risk. This is the asymmetry. 

So, why does this happen? Simple, it is because many organizations do not put in processes to counteract this natural tendency. This is especially hard for distributed organizations where security resources are embedded in business units, engineering teams or across a network of suppliers. But it’s also a challenge for the security team’s own resources. This is an example of one of the fundamental Forces of Security: Entropy is King. 

So, what can we do to put in place the counter forces to sustain security?

1.Organization Health Monitoring 

Most organizations do regular risk and control assessments to determine if risks have been identified and if they are being mitigated appropriately within some defined risk appetite - mostly by ensuring controls are implemented and sustained. This type of process can be done procedurally with RCSAs (Risk and Control Self Assessments) or more systematically with continuous control monitoring and risk quantification. 

Some organizations also measure the “health” of their organization with a similar objective - to assess whether the right resources (people and budget) are being applied in the right ways. This could be as simple as having a prescribed model for what federated / embedded security teams, roles, and responsibilities exist in the organization and then assessing whether reality conforms to that (agreed) model. More advanced approaches could also include the attributes of those teams and roles including the distribution of experience (seniority, tenure or otherwise) and skills. This can help ensure there is not just the right number of people but also the right balance of skills and experience. 

It is also important to be systematic in defining how the central security team is resourced in some modeled way. There could be a range of operational factors that determine the degree of resources. For example: a detection and response team could be scaled according to a combination of sensory coverage and threat profile, or a penetration testing team could be sized proportional to the digital attack surface of the organization. Doing this in a commercial, supply and demand oriented way, is helpful so you can show that you’re not just looking to scale people linearly, but are using funding to increase automation so you are getting more efficient, growing the team sub-linearly to the scale of the tasks. 

Now, there’s no magic here. It might be your model of what is needed vs. reality do diverge but it is done in a transparent way that can be positively accepted by leadership and/or the Board. But for organizations I’ve seen do this, the pattern of agreeing a model and then assessing conformance or deviance vs. the model leads to more pragmatic discussions of resource needs.

2.Zero Based Budgeting

Zero based budgeting can create a sense of dread for many organizations. The process of assuming a zero budget and then rebuilding it back up by re-justifying your resources can result in cuts. But, if done with a hard-nosed commercial attitude, I’ve seen most security teams that are subjected to this actually sustain growth each budget cycle. I’ve seen a few organizations actually grow significantly (>30%) during such zero based reviews. 

3.Deliver and Communicate Incremental Benefits

Constantly look to implement controls that also deliver adjacent benefits. Even if these are not apparent then determine ways to highlight even small incremental benefits that exist because of the controls. Make resources (people, hardware, software, services) that deliver security be seen as commercially necessary beyond the specific loss / incident avoidance purpose of the controls. In other words, flip the script on incentives.  

4.Build a Base of Support / Advocacy

Work to ensure all leaders value and state the value of security. While tone at the top doesn’t guarantee resources in the ranks - it sure helps. 

5.Make Scarcity Visible 

Often, pressures in the system such as stretched resources or services where supply is not capable of meeting demand are not immediately seen as a problem. This is because the security team or other embedded roles are working beyond their natural capacity and progressively burning themselves out. If your only measure is results then your heroics might well be taken for granted vs. rewarded. Instead, figure out ways of making the scarcity visible, attempt to negotiate lower SLOs for various activities which will result in constructive conversations around resource limitations. 

Bottom line: unless actively counteracted, resources applied to sustain security will gradually atrophy. Worse, the drop off in effectiveness is disproportionally negative to the rate of resource drain. Things can go from good to bad to “boom” pretty quickly.