I saw an interesting poll on the ISC2 website earlier today, asking: "What is your company's biggest challenge in regard to information security?"
"Insufficient funding" came in third, lack of education second, and our all time number one biggest challenge of all time, "lack of management buy-in".
None of it particularly surprises me. I sent this over to my friend Andrew in Gibraltar to see what he made of it. He's a Security Officer with a distinct lack of management buy-in. He ventured forth the opinion :
"I wonder how much of the inability to secure sufficient funding and management buy-in is due to the approach of the security professionals themselves?
This suggests that the ability to improve Information Security is well within the grasp of the average company but they are just not dealing with it."
Another comment on PCI Answers from my old mate Tom Grubb from my Vormetric days (now at Polivec) made me realise that we're really only just beginning the real education of security. In fact we haven't even finished getting it right yet. I use a simple table in many of my presentations on data integrity to show the state of the industry, I won't reproduce it here, simply because I don't have a copy on my home PC, but the fact that I introduce data integrity as the cutting edge of security and where security is right now, shows you that we aren't in a mature industry yet.
I said to Tom that he has a big job of education to come, in fact I've been educating for nearly ten years now and still learning loads at the same time. When that stops, companies will be able to address compliance much more easily, from a reasonably static baseline, as Tom desires. As which point most of the fun stuff (weirdo geek solutions that no-one in their right minds would try to sell) surrounding security will have disappeared and I'll have to move into the mobile market or something equally as hideous.
Until then, I'm happy where I am. Read into that what you will.