The NSA Has a Common InfoSec Problem


According to one whistleblower, the NSA has is being overrun by information.

This should sound familiar if you’re part of a corporate information security team. In nearly all corporate infosec scenarios I come across I see two trends:

  1. There aren’t nearly enough people to do the work

  2. They’re constantly seeking ways to gather more work/data

Stop. Gathering. More. Data.

It’s the same with the NSA it seems. They keep finding more ways to gather content from citizens but they already can’t handle the content they do have.

The one-list approach

The solution is simple: scale your program according to your resources. Here are the steps:

  1. Prioritize the events/incidents/activities that must be caught or completed. List them in prioritized order, 1 through 10

  2. Determine how many people you have, and how much work they can do

  3. Starting at the top (number 1) assign the work to the people you have

  4. When you run out of people to assign tasks to, stop assigning work. That’s your limit

  5. Do not go looking for more work. You already know what your priorities list is, and you’re not going to make your existing work go away by finding new work

  6. Periodically review your priorities and re-adjust as necessary

This approach can make a two-person infosec team shine—even in an enterprise. Will they be doing in-depth assessments of their 5,000 applications? Probably not. But they’ll at least know which are the most important, and they’ll know exactly what they should be doing next.

Even better, they’ll know exactly what the third person they’re about to hire should be working on—because they have a prioritized list of work that they trust.

The NSA needs to do the same thing. Let’s say they mostly care about these 500 people saying things on the internet. That’s our first priority. Then we care about these 2500 people recruiting people on the internet. That’s our second priority. And so on, down the line.

Well they only have X number of employees. And they ran out of them assigning them to the top 4 priorities. So why are they still spending millions trying to find more data? It’s the corporate infosec problem all over again.

Know your priorities, now your limitations, and assign work appropriately. Trust that list, and don’t chase shiny work/data when it passes your field of vision.


  1. You should obviously adjust your priorities if you learn about something that’s even higher priority than your list. But don’t work away from the list, simply update it with the higher priority. One list of priorities. Trust it, and you’ll keep your sanity and your effectiveness.

Related posts: