Do you often feel that despite best efforts to circle the wagons your information security team is fighting a losing battle with broken down tools? Even though information security budgets have increased in the last couple of years—likely in response to the very visible increase in high-profile data breaches—discretionary budget dollars are scarce. I recently heard the poker term “dead money” used to describe that large portion of every IT budget that has been committed long before it is received, much like the money we all must dedicate to mortgages, utilities, food, and transportation. Thus, for every $100 of total IT spend, we may be left with just $0.60 for new baubles and geegaws, as my grandmother used to say.
According to Gartner, in 2015 we will spend about $77 billion on software and services for information security worldwide. Despite this outwardly positive state of affairs, I was surprised to find, at a recent conference on information security and IT infrastructure, a pervasive underlying current of cynicism among both presenters and participants. One presenter from a public institution of higher education stated that he could not compete with private industry for qualified staff; another presenter lamented that policies exist to better govern information security, but they are not followed; and yet a third indicated that the average tenure of a Chief Information Security Officer (CISO) is only two years. Two years for a C-level executive is barely enough time to print new business cards and “engage with the business,” much less evaluate, analyze, and improve an organization’s information security posture—all while being held accountable for the inevitable data breach. No wonder CISOs are hard to find and harder to keep.
On the trade show floor there were dozens of VVSDs (vendors vying for scarce dollars), most with names that none of us have ever heard of: RedSeal, Yellow Dog, Actifio. When did company names finally depart entirely from describing what they do? But I digress. Ultimately, the question remains: What can you do with $0.60?
Beyond the Baseline
Let’s assume the necessary baseline spend for information security covers infrastructure, staffing, software, and maintenance. It covers all the usual technology tools, such as user authentication, endpoint protection, data loss prevention, remote access VPN, and encryption. What’s missing? Ordinary people.
People remain the common element in nearly all data breaches. Whether they are associated by phishing, inattention to policy, negligence, failure to follow process, or malfeasance, people cause (or allow for) information security failures. So what if we take our $0.60 and mosey on over to the HR department for a chat? What if we spend the next quarter or next year focusing on improving awareness and more fully engaging employees in the fight? Not just check-the-box training, but real, measurable engagement to first find out what our employees really think and do, and then act on that knowledge. Seek to strike at the heart of the issue, unglamorous as it may be. No new geegaws this year—engage with HR and see what you can accomplish.