Overhead has a bad reputation. While the security function is a key enabler, it will often be considered overhead by the business units that pay for it. In itself, this is merely a reflection of the financial and business realities of security. Security is a cost of doing business but its ability to scale, its comparatively small talent pool, and its governance aspect makes it natural to centralize.
However, the term overhead can carry the connotation of deadweight: Functions and processes perceived as not adding much value to a process but bureaucratically protecting a random status quo.
On the one hand, what stakeholders may consider a set of roadblocks best avoided might in fact be carefully designed checks and balances. On the other hand, like any process, checks can degenerate to become ends in themselves, and it can be a challenge to update or abandon controls and processes no longer serving their (or any) purpose.
Examples within the enterprise include legacy technical controls and metrics or layers of internal or external compliance management, each with their own tracking tools. Outside the private sector, you will be able to quickly identify rules and regulations, including those directed at corporate governance and information security that can similarly serve as examples.
How Bureaucracies Grow
Why would a well-intended governance system degenerate into bureaucracy? It may have started as a simple attempt to fix bottlenecks in the system. The devil lies in the details.
‘Empire building’ and an associated increase in complexity may lead to an internally focused organization with dramatically reduced effectiveness. This is the central tenet of Parkinson’s Law. Parkinson’s example is the administration of the British Empire, presumably by busy, hard-working individuals, whose number peaked at the same time when said empire completely unraveled. [1]
Overhead can increase when it becomes affordable. Australian author Anthony Berglas says that productivity gains will thus be absorbed because they free up resources for additional work. Berglas’ example is the Australian tax code, whose volume has increased by orders of magnitude in step with available computing power, while doing little for revenue. [2]
An organization may be reluctant to downsize in order to protect an internal status quo, leading to jobs that may be meaningless or outright counterproductive. David Graeber, Professor of Anthropology at the London School of Economics, posits that society accepts subsidizing corporate overhead (through higher prices and taxes) not despite, but because of advances in productivity, counteracting structural unemployment that might cause social unrest. [3,4]
"It is the first duty of the CISO to ensure the security function is effective, efficient and has minimal internal friction"
These mechanisms have in common that a qualitative problem – preserving the effectiveness of an organization – is solved by protecting or increasing the quantity of staff. However, a larger organization will not just be able to get more work done, it can simultaneously create more work for itself and everybody it interfaces with. In an antagonistic climate, one may even find business units investing in ways to neutralize it.
Prevention is Better than Cure
A security bureaucracy can be a strategic risk to any company. Lets look at health signs for a security function, and how they relate.
Effectiveness: Does the security function have a clear and reasonable mandate, and is it accomplishing its goals? Or is it spending most of its time coordinating with other units through fuzzy interfaces, re-affirming or asserting its own role? The company may have put a security function in place without vision and stakeholder support. It will be difficult to be a driver for change under these circumstances.
Efficiency: As long as a function’s remit remains constant and the processes were in working order to start with, one would need very good reasons to justify staff increases. New hires should be expected to build new capabilities, not bolster existing ones. Otherwise, the function may be at risk of falling victim to Berglas’ trap of increasing bureaucracy without increasing value.
Internal structure: Is the security organization flat, or is it becoming unreasonably hierarchical? A company will have an established span of control. The security function should stay within the same margin. If stacking increases, the organization may be at risk of falling victim to Parkinson’s Law.
Security resources are scarce and expensive, and businesses want to put them to good use, rather than creating busywork for them. Problems may be home-made or be rooted elsewhere in the business, be it because of cost pressure, turf wars or resistance to change. In all cases it is the first duty of the CISO to ensure the security function is effective, efficient and has minimal internal friction.
Individuals, regardless of their organization’s posture, can still make a difference. Corporations, matrix organizations in particular, work as networks, and as a security professional it is often necessary to influence without formal authority leveraging one’s skill and leadership. However if worse comes to worst, one’s pride (and a healthy respect for personal burn-out risk) shouldn’t allow a professional to stay in a role or organization he or she feels does not allow them to perform at their best.
Peter Berlich, CISA, CISM, CISSP-ISSMP, MBA is a management consultant and trainer (http://www.birchtree.ch/)
References
- “Parkinson’s Law” (retrieved 2014-12-30), http://www.economist.com/node/14116121 (see also http://en.wikipedia.org/wiki/Parkinson's_law)
- “Why it is Important that Software Projects Fail”, by Anthony Berglas (retrieved 2014-12-30), http://www.berglas.org/Articles/ImportantThatSoftwareFails/ImportantThatSoftwareFails.html
- “On the Phenomenon of Bullshit Jobs”, by David Graeber (retrieved 2014-12-30), http://strikemag.org/bullshit-jobs/
- “On ‘bullshit jobs’” (retrieved 2014-12-30), http://www.economist.com/blogs/freeexchange/2013/08/labour-markets-0