III. The Strategy Gap

When an individual thinks he doesn’t have enough information on which to base decisions, or as many resources as he believes he needs and, for the most part, he’s not part of the planning process, what does he do? Typically, he falls back on what he knows best. For information security executives, that means focusing on technology—on tactics, not strategies.

Perhaps not coincidentally, this year executives are shifting from more strategic security practices toward more traditional technology practices (compared with last year’s results). In 2005, for every one technology item on the security executive’s to-do list, respondents mentioned four process fixes. This year, that ratio is nearly 1-to-1. In all, of the top dozen items on the 2006 security to-do list, seven can be described as a technological fix. Among the top five are some of the more routine and easy security measures, including data backup, network firewalls, application firewalls and instituting user passwords. That explains why the percent of companies reporting they have an overall strategic plan in place was unchanged at 37 percent.

At the very least, some of the shifts are perplexing. Dropping from the top spot in 2005 to fourth place this year is the development of a business continuity and disaster recovery plan. That’s a surprising result given Hurricane Katrina’s reminder of the importance of such plans.

But news coverage about disasters and security breaches may not be a driver for security investments. Our prediction that last year’s 10th item on the information security to-do list—spending on IP protection—would move up because of the sharp increase in high-profile identity thefts and the increase in the amount of digitized content (such as iTunes) did not occur. IP protection didn’t even make the 2006 top 10 list. Even some of the simpler and less costly strategic security practices dropped. Conducting employee awareness training dropped from second to a tie for 10th on the priority list.

The kicker here is that designing an overall information security strategy—fourth on the list last year—didn’t make the 2006 list.

What’s happening? Why has strategic planning for security become an afterthought? One answer may be that in an information vacuum (information security executives report that they are unsure of their budgets, where attacks have come from and where they will find people with the skills they need), short-term solutions seem more prudent than long-range ones. Sony’s Spaltro offers a more fundamental reason: Information security managers have what he calls "dings" coming into the job. They speak geek. Their bosses don’t. "I tend to open meetings with executives by reminding them that security is a business decision and everything we do from cameras to encryption to information classification is a decision that the business makes to protect its assets, and I don’t own that decision," Spaltro says. "I’m there to be the bridge between the technology and the risk that they face and help them to make decisions, but in the end it is really for them to tell me what to go execute."

For information security to be most effective, aligning the technological processes with the organization’s strategic plan is critical. Companies that make security part of their strategic plan, Lobel says, have fewer breaches, lower financial losses and the fewest network downtimes.