There is no question that the battle with information security will never be fully won. Somewhat akin to the battle on terror, the information security battle is an ever moving, ever persistant battle against a changing enemy. And as with America’s war in Iraq, the day to day battles that are actually won – go unseen by the industry as whole and more importantly by upper management.
Noam Eppel writes in his article “The Complete, Unquestionable, And Total Failure of Information Security” that we as security professionals are failing. While I agree we face a massive growing foe in the information security battle, I disagree with the notion that we as security professionals are the root cause of this failure. And though I disagree I think we can do many things to improve our chances.
Security is new enough to the business world that we are still compiling the statistics on how certain information security practices (or lack thereof) affect business in general. Business has recognized the fact that information security can no longer be ignored — but to many companies information security is a cost center that it is toloerated because the amount of risk they face is not entirely clear. So companies tend to adopt what they will see as a “reasonable” amount of security and play the odds. And when those odds don’t play out to the expectations of the business, the company generally finds religion and budget dollars open up.
So now we come to the real battle within the battle. The fight for corporate budget dollars. And this is a real fight. From the information security professional we are presenting a risk and selling insurance. And unless you approach this fight properly armed, you’re gonna get your but kicked.
I have found there are 3 areas of profound importance in the fight for the information security share of the budget pool:
Do not overstate your risks: Practice sound risk management. Be reasonable about your risk projections. THROW OUT YOUR DOOM AND GLOOM SCENARIOS. Stick with numbers.
Provide meaningful statistics: This is key, you MUST have good statistics to show the business that this happens in the everyday world.
Keep the information flowing: Many information security professionals do a great job in creating the risk profile and original statistics, but they fail to keep the pipeline of information flowing. Create a process for measurement of success and keep executive management informed of not only the potential new risks but also the statistics related to your success. Business needs to be constantly reminded that the program is providing value.
The most important thing to remember when approaching this entire process is to document your desired outcome and create a measurement of success to that outcome. Ensure that executive management agrees and understands the desired outcome for the program.
While the fight will continue to go on, education will continue to be the best weapon available to the information security professional. Provide a canvas built of sound business practices to paint on your security program and the chances of success will be greatly enhanced.