BAU vs Scaling Investments¶
The Inevitable Choice Every Security Leader Faces¶
Every security leader eventually confronts the same mathematical reality: demand for security services grows exponentially while team capacity grows linearly. This creates an inflection point where traditional approaches become unsustainable.
The Traditional Response: Hire more security professionals, work longer hours, accept growing backlogs.
The Strategic Response: Deliberately constrain some activities to invest in capabilities that reduce future manual effort.
This section explains how to make this strategic shift while maintaining security outcomes.
The BAU Scaling Crisis¶
The Mathematical Reality¶
As software factories grow, traditional security activities face a scaling challenge that hiring alone cannot solve:
Demand Grows Exponentially: - Security review requests increase with feature velocity (more teams = more requests) - Threat modeling needs scale with system complexity (more services = more models) - Customer security inquiries grow with customer base (enterprise customers demand more) - Incident response requirements increase with system surface area (more systems = more incidents) - Compliance activities expand with regulatory scope (new markets = new requirements)
Capacity Grows Linearly: - Hiring requires time (3-6 months per role typically) - Onboarding creates temporary productivity reduction (new hires require training) - Communication overhead increases with team size (coordination costs rise) - Maintaining quality becomes challenging during rapid scaling (standards slip under pressure)
The Inflection Point: Organizations reach a point where demand for BAU (Business-as-Usual) security services exceeds sustainable capacity, creating constraints on both security effectiveness and business velocity.
The Capability Gap: Beyond Just Capacity¶
The BAU scaling crisis isn't only about volume—it's about a fundamental capability mismatch between manual defenders and automated adversaries.
The Adversary Capability Shift: In recent years, adversaries evolved from targeted reconnaissance to automated discovery at internet scale. Using techniques inspired by bug bounty programs and internet-wide scanning, attackers can now:
- Discover unknown assets (forgotten servers, shadow IT, unmanaged dependencies) faster than organizations can inventory them
- Exploit known vulnerabilities within hours or days of disclosure
- Conduct credential stuffing at scale against thousands of targets simultaneously
- Probe continuously while defenders scan quarterly
The Structural Problem: Organizations conducting quarterly vulnerability scans face adversaries who probe continuously. Manual asset discovery can't keep pace with automated reconnaissance. This isn't a resource problem that hiring solves—it's a capability mismatch that requires automation.
Critical Insight: Supply Chain as #1 Priority
Supply chain security became the #1 priority not because dependencies increased, but because adversary capability evolved. When attackers can discover your unknown assets faster than you can catalog them, supply chain security becomes existential regardless of your other security investments.
The Strategic Choice Point¶
At the scaling inflection point, organizations face two fundamentally different resource allocation strategies:
Traditional Scaling Approach (Unsustainable)¶
Strategy: Attempt to maintain current service levels through capacity increases
Typical Actions: - Hire additional security personnel for manual work - Extend working hours to cover growing demand - Build custom solutions for individual use cases - Maintain primarily reactive security posture - Accept growing backlogs as "normal"
Why This Fails: - Hiring doesn't close the capability gap against automated adversaries - Linear capacity growth can't match exponential demand growth - Custom solutions create maintenance burden without scaling benefits - Team burnout and quality degradation become inevitable - Security becomes a business constraint and bottleneck
Strategic Scaling Approach (Sustainable)¶
Strategy: Deliberately constrain capacity for some BAU activities to create investment cycles for automation and self-service capabilities
Typical Actions: - Set explicit capacity limits for manual security activities - Develop automation and self-service capabilities systematically - Create standardized approaches for common security needs - Shift toward proactive, scalable security architecture - Measure and communicate ROI from scaling investments
Why This Succeeds: - Automation closes the capability gap against scaled adversaries - Capabilities create compound returns over time - Self-service enables teams without security team growth - Developer experience improves rather than degrades - Security becomes a competitive advantage enabler
The Compound Interest Principle
Just as financial investments generate compound returns, security scaling investments create exponential value. An automation capability used 100 times costs the same to build as one used once, but delivers 100x the value. Manual security work scales linearly—each review costs the same effort.
Investment Portfolio Categories¶
Security investments fall into three categories with fundamentally different scaling characteristics:
BAU Activities (Constrain Past Crisis Point)¶
Definition: Manual work that scales linearly with organizational growth
Examples: - Manual security design reviews for each new service - Threat modeling sessions requiring security team participation - Individual incident response investigations - Customer security questionnaire responses - Ad-hoc compliance evidence collection
Characteristics: - Required for business operations (can't eliminate entirely) - Demand grows with organizational scale - Each instance requires similar effort (limited efficiency gains) - Creates capacity constraints at scale
Strategic Approach: - Pre-Crisis: Maintain current service levels while building alternatives - Crisis Point: Set explicit capacity constraints with communication strategy - Post-Crisis: Systematic constraint with clear self-service alternatives
Constraint Strategy by Position:
| Position | BAU Approach | Constraint Mechanism |
|---|---|---|
| Visionaries | Minimal BAU burden initially | Automation-first—avoid creating manual processes |
| Leaders | Systematic constraint with alternatives | Self-service platform + clear escalation paths |
| Niche Players | Manageable manual processes | Document processes while building readiness |
| Challengers | High burden requiring constraint | Triage system + strategic automation pilots |
Scaling Investments (Prioritize Post-Crisis)¶
Definition: Capabilities that reduce manual effort exponentially or enable self-service
Examples: - Automated dependency scanning with auto-remediation - Self-service security environment provisioning - Policy-as-code with automated enforcement - Security champions program enabling distributed expertise - Developer security training and tooling integration
Characteristics: - Initial investment required (time, money, organizational change) - Benefits compound over time (more usage = more value) - Reduces future manual effort requirements systematically - Enables organizational scaling without proportional security team growth
Evaluation Criteria:
| Criterion | Why It Matters | Assessment Question |
|---|---|---|
| Manual Effort Reduction | Primary driver of sustainable scaling | Will this eliminate repetitive work permanently? |
| Developer Experience | Critical for adoption | Does this reduce security friction or create new complexity? |
| Time to Value | Affects organizational confidence | How quickly will benefits become measurable? |
| Cultural Alignment | Determines sustainability | Does this support learning culture and psychological safety? |
| Adversary Economics | Validates security value | Does this force attackers to more expensive approaches? |
Expected ROI Timeline: 6-18 months with compound returns increasing over time
Platform Effects (Multiply)¶
Definition: Investments that benefit both your organization AND customer software factories (platform companies only)
Examples: - Security platform features customers can leverage - Open-source security tools serving broader ecosystem - Security standards that become industry practices - Shared threat intelligence benefiting community
Characteristics: - Internal business case must justify investment independently - Customer value creates additional strategic benefits - Competitive differentiation potential - Market influence and thought leadership opportunities
Evaluation: Internal benefit × customer multiplier + competitive advantage
See Also: Platform Effects for detailed guidance for platform companies
Designing Security Capabilities That Compound¶
The "Catch and Store Energy" Principle¶
The most sustainable security investments don't just solve immediate problems—they capture organizational effort and store it in reusable capabilities that serve future needs without additional manual work.
Like renewable energy systems that provide ongoing value after initial investment, effective scaling investments become self-sustaining:
Paved Roads: Secure templates and baselines that engineers reuse without security review - One-time effort: Design secure baseline architecture, document patterns - Ongoing value: Every team using the template saves 10-20 hours of security reviews - Compound effect: As templates improve based on feedback, all users benefit automatically
Self-Service Platforms: Automated environments and policy-as-code eliminating recurring requests - One-time effort: Build security environment provisioning automation - Ongoing value: Teams provision secure infrastructure in minutes instead of days - Compound effect: Platform improvements benefit all users without additional security team effort
Automated Dependency Management: Continuous monitoring without manual intervention - One-time effort: Integrate automated dependency scanning and update tools - Ongoing value: Vulnerabilities detected and remediated automatically - Compound effect: Coverage expands automatically as new services are built
Security-Quality Integration: Process improvements serving both objectives simultaneously - One-time effort: Integrate security checks into CI/CD quality gates - Ongoing value: Security and quality issues detected together in development - Compound effect: Quality improvements enhance security, security improvements enhance quality
What to Avoid: Security Tools That Consume Energy¶
The Maintenance Burden Trap
Some security tools create ongoing maintenance costs that exceed their security value. Avoid investments that:
- Require continuous manual tuning to remain effective
- Generate high false-positive rates demanding constant triage
- Need specialized expertise that creates key-person dependencies
- Don't integrate with existing development workflows
- Create new manual processes rather than automating existing ones
Favor investments that: - Become more valuable and less demanding over time - Store organizational knowledge in reusable form - Enable self-service without security team involvement - Integrate seamlessly into existing workflows - Improve developer experience while improving security
BAU Constraint Communication Strategy¶
Constraining BAU activities requires clear communication to maintain organizational support and developer relationships.
Communication by Organizational Stage¶
Pre-Crisis (Building Alternatives):
Message: "We're investing in improved capabilities that will provide faster, more consistent security support."
Actions: - Maintain current service levels while building alternatives - Gradual introduction of self-service options - Measure baseline metrics for later comparison - Build organizational confidence in new approaches
Crisis Point (Implementing Constraints):
Message: "We've reached a scaling inflection point. To ensure sustainable security support, we're shifting from manual processes to self-service capabilities. Here's what's changing, here are the alternatives, and here's the timeline for improved capabilities."
Actions: - Set explicit capacity limits with clear justification - Provide immediate self-service alternatives (even if basic) - Establish escalation paths for critical needs - Regular updates on scaling investment progress
Example Communication:
"Our security review process has reached capacity constraints. Starting next quarter, we're implementing a self-service security baseline that will enable most teams to deploy securely without security review wait times. For projects outside this baseline, we'll use a triage process prioritizing business-critical initiatives. We expect this transition to take 6 months, after which your experience will significantly improve."
Post-Crisis (Systematic Operations):
Message: "Improved self-service capabilities are now available. Most teams can now [specific capability] without security team involvement, and we've measured [specific improvement metric]."
Actions: - Demonstrate ROI realization from scaling investments - Showcase developer experience improvements - Adjust capacity constraints based on capability maturity - Continuous improvement of self-service platforms
Financial Model Considerations¶
Security leaders operate within inherited financial contexts that affect investment strategies:
Cost Center Context¶
Constraints: Security viewed as overhead, budget scrutiny, ROI skepticism
Strategy: - Focus on compliance cost avoidance (failed audits cost money) - Emphasize operational efficiency (automation reduces labor costs) - Use crisis events as opportunities for scaling investment approval - Frame investments as risk reduction with quantifiable business impact
Conversation Template:
"Our current security approach will become a business constraint as we scale. Rather than only adding capacity through hiring—which provides temporary relief at increasing cost—we recommend investing in capabilities that reduce manual effort requirements permanently. This approach improves both security outcomes and business velocity while managing cost growth."
Shared Services Context¶
Constraints: Internal customer satisfaction, operational metrics, service level expectations
Strategy: - Develop business cases emphasizing internal customer satisfaction - Measure and communicate developer experience improvements - Show operational improvements reducing business friction - Position security as enabling faster, safer delivery
Conversation Template:
"Our internal customers currently wait an average of 5 days for security reviews. By investing in self-service security baselines, we can reduce this to under 1 hour for 70% of projects while improving security consistency. This enables faster delivery without compromising security outcomes."
R&D Integration Context¶
Constraints: Security competes with feature development for resources and attention
Strategy: - Frame security investments as competitive advantages - Measure success through business outcomes, not security metrics - Demonstrate security capabilities enabling business opportunities - Position security as accelerating time-to-market for secure products
Conversation Template:
"Security automation isn't just about managing risk—it's about enabling our engineers to move faster with confidence. By investing in security platforms, we can support 3x growth without proportional security team expansion while improving both security posture and delivery velocity."
Success Metrics for Investment Shifts¶
Track these metrics to validate your BAU constraint and scaling investment strategy:
Leading Indicators (Early Signals)¶
- Scaling investment velocity: Projects started, adoption rates, developer feedback
- Alternative capability usage: Self-service adoption rates, platform utilization
- Developer satisfaction trends: Survey scores, friction reports, voluntary participation
- Investment pipeline health: Approved projects, executive support, resource allocation
Lagging Indicators (Results)¶
- Manual effort reduction: Hours saved per activity type, capacity freed for strategic work
- ROI realization: Measurable benefits vs investment costs, compound return evidence
- Security outcomes: Vulnerability detection rates, incident response times, risk posture improvements
- Business velocity: Time-to-market improvements, deployment frequency increases, developer productivity gains
Next Steps¶
- Assess Your Position: Are you pre-crisis, at crisis point, or post-crisis in your scaling journey?
- Evaluate Current Portfolio: Catalog BAU activities and identify scaling investment opportunities
- Review Evaluation Criteria: Systematic framework for prioritizing investments
- Understand Platform Effects: Additional considerations for platform companies
- Develop Communication Strategy: Prepare stakeholder messaging for investment shifts