Wednesday, 23 May 2007

Security Challenge

I saw an interesting poll on the ISC2 website earlier today, asking: "What is your company's biggest challenge in regard to information security?"

"Insufficient funding" came in third, lack of education second, and our all time number one biggest challenge of all time, "lack of management buy-in".

None of it particularly surprises me. I sent this over to my friend Andrew in Gibraltar to see what he made of it. He's a Security Officer with a distinct lack of management buy-in. He ventured forth the opinion :

"I wonder how much of the inability to secure sufficient funding and management buy-in is due to the approach of the security professionals themselves?

This suggests that the ability to improve Information Security is well within the grasp of the average company but they are just not dealing with it."

Another comment on PCI Answers from my old mate Tom Grubb from my Vormetric days (now at Polivec) made me realise that we're really only just beginning the real education of security. In fact we haven't even finished getting it right yet. I use a simple table in many of my presentations on data integrity to show the state of the industry, I won't reproduce it here, simply because I don't have a copy on my home PC, but the fact that I introduce data integrity as the cutting edge of security and where security is right now, shows you that we aren't in a mature industry yet.

I said to Tom that he has a big job of education to come, in fact I've been educating for nearly ten years now and still learning loads at the same time. When that stops, companies will be able to address compliance much more easily, from a reasonably static baseline, as Tom desires. As which point most of the fun stuff (weirdo geek solutions that no-one in their right minds would try to sell) surrounding security will have disappeared and I'll have to move into the mobile market or something equally as hideous.

Until then, I'm happy where I am. Read into that what you will.


Andrew Mason said...

Thanks for sending this to me as it has galvanised my approach somewhat.

Regarding my first comment you quote, I have been considering different approaches recently and trying some out. Some have made ground and I will blog about that at some stage. The interesting thing is, having tried the "get management buy-in at the highest level" approach as all good InfoSec publications advise, nothing happened. Nada. Zip. The Directors nodded and murmured agreement and then forgot about everything once they left the board room.

I'm still persevering with that but have also started attacking the lower orders with more success. It strikes me that your average employee does want to improve the InfoSec environment but doesn’t get told to. If you include them in discussions they are normally eager to assist. The issues arise when they need to allocate time from their busy schedule to do the work and that is where the management buy-in is required.

That said, if your average manager gets inundated with requests from their own staff to work on similar issues, they will normally agree to allocate some time. It only gets tricky when the time requirement gets to the stage where it is impacting day to day operations. However, by that time, hopefully, enough managers are getting requests for time that it gets discussed higher up.

When that happens, the law of “volume control” starts working and the director level types get hassle from more than just that irritating InfoSec guy who’s always telling us how bad things are.

Will this work in reality? Who knows, but it has to be worth a try!!

Rob said...

Mike Rothman has linked to this post to say how close this survey is to the intro of his book.
There's a reason for this. Mike's book is based on real life, and can only have been written by someone who's experienced it.
I carry it with me on a daily basis, it is like a bible for security folks. If everyone else in ISC2 did, maybe it would look a little different?
Andrew, if you don't have a copy yet, I advise you to invest (charge it to the company of course). It is fresh, interesting and will galvanise your approach even more.
I've said before that Mike isn't teaching you anything new, but what he is doing is telling you the right way to do what you already know. Galvanising is a good word.

Rob said...

Oh, and no, I'm not on Mike's payroll.