In the final months of 2021, a record number of workers were quitting their jobs. This will lead to a spike in the workforce turnover in many organizations. I want to focus briefly on a specific risk that is not getting a lot of airplay.
Organizations with lower process maturity rely on tribal knowledge to get things done. During the Great Resignation, a replacement worker often does not receive cross-training from their predecessor. Instead, replacement workers learn about their routine duties through studying policy, process, and procedure documentation.
In many (and perhaps most) organizations, there is often little documentation to rely upon. And, often, other co-workers are not familiar with the details of their departed colleagues’ duties. The result: organizations stop performing routine activities correctly, and many activities stop altogether.
This is a particular problem for cybersecurity-related activities. Security activities are detective and protective in nature: they protect core business operations, but they are not those core business operations. When cybersecurity activities such as scanning, patching, reviewing access, event monitoring, alerting, and response cease to function, core functions delivering the organization’s goods and/or services continue, for a while at least. As more organizations fall even further behind on these essential activities, the likelihood of successful attacks increases.
The cybersecurity workforce shortage has been a problem for years, and I fear it’s getting far worse with the Great Resignation. I fear that many routine and essential cybersecurity-related activities will simply stop in instances where security professionals resign and take other jobs – particularly in organizations with lower maturity.
This phenomenon will make it easier for cybercriminals to successfully attack and compromise organizations, particularly those less mature.
The fix for this is not easy: many organizations are already short-staffed, and taking remaining persons offline to document their processes results in other essential work not being performed. Organizations with lower maturity are often unaware of the need to document critical activities, particularly those related to cybersecurity. Squeezed by tightening profit margins, hiring outside experts is often not a viable option. Instead, the silent indicator of risk will continue to increase, and the inevitable will occur.
Peter H. Gregory 