The ideal outcome for a Cyber Security team is to make the teams within the business more aware of the risks they carry in their work, and for those teams to react and change their processes to manage the risks better.
This change in process usually (although not always) requires the team to either add extra steps, or increase cognitive load, and slows their work. Having to do this work, separate from the work itself, damages the relationship a little with Cyber Security teams.
A busy team, who are struggling with their existing workload, may not appreciate you cheerfully turning up and adding to their existing work.
A teams ability to take on additional work, I like to call the The Reservoir of Good Will.
To explain in more detail, a reservoir is a body of water used for storage. The levels of water go up as more water enters it such as rain or snow, and is drained to produce a valuable resource, such as hydro-electric power or drinking water.
Good will is the concept of doing something with no expectation of getting something in return.
The Reservoir of Good Will is an analogy to allow Cyber Secruty teams to think about how making requests on a team affects the relationship with that team.
When a Cyber Security team makes a request of a business, it takes the team away from doing the thing they’re expecting to do, leading to a level of frustration. It drains some good will from their reservoir.
Some teams have a larger reserviour. They have more capacity to take on the inconvenience of the thing you ask. Some, have a smaller reserviour, and may struggle.
As people practicing Cyber Security, our responsibility is to ensure we keep the reservoir of each team topped up. We can take sips or gulps from the reservoir, but we must be mindful by how much it is drained.
However, if the reservoir gets too full, we are not fulfiling our responsibilities to the business of keeping it as secure as it could be. We will always need to dip in to that reservoir a bit.
We need to keep that reservoir at a good level, and to do that we need to understand where that level is. We must measure it.
Therefore we must be cautious and poll the levels and make sure our actions are kept at the right amount to sustain each team, and we need to understand the size our activities to see if they are going to be too big of a glug.