By Rick Blum, INS
Remember the good ol’ days of security—back when knowing the latest virus’s footprint or how to configure a firewall would vault you to the top of the most valuable list? Ah yes, those were the days when security professionals could simply concentrate on identifying faulty code and leave the business to others.
Well, it’s time to wake up. Sure, there is plenty of room for techies on today’s IT security team—in fact, more need than ever. But, security is no longer just a sport for techies. Now the most effective lineups boast players with financial acumen and people skills—at least according to a recent survey conducted by INS.
The survey of 84 security professionals asked a number of questions about the state of security today. And there’s a lot of good news to report. Nine out of 10 organizations place security among their top priorities, with 29 percent listing it as numero uno. Further, more than three-quarters of survey respondents are satisfied with their IT organization’s security capabilities and an even higher number (85 percent) are satisfied with the products available to improve those capabilities. Unfortunately, those products can come at a steep price—which is where financial acumen comes in.
Security products are constantly evolving to meet the ever-changing array of threats that are conjured up daily by the mischievous as well as nefarious. They also have to constantly add functionality to comply with new government mandates as well as meet simple business imperatives, such as not making the nightly news by losing sensitive customer data. All this churn comes at a price. And that price erects barriers to improving information security capabilities. In fact, 57 percent of survey respondents say that the cost of products and tools is too high. Additionally, 54 percent say that justifying the cost to upper management when compared to the potential benefits is a significant barrier to improving security.
Does this mean that security professionals need to get MBAs in order to move ahead? Maybe it does. Certainly, there will always be a need for technical skills, but understanding how to build a business case that the CFO can read and say, “Now I get it,” is just as critical to boosting security. Unfortunately, demonstrating the value of security investments is among the toughest tasks IT can undertake. While that hot new Web service might have the potential to generate new revenues—and show a solid short-term return on that investment—security improvements are usually all about potential cost avoidance. In other words, if it works, no one will notice. Yet, not making the investment might sink the business. It’s up to you to prove the danger, and the cost of the remedy. For this you’ll need numbers—cost numbers and potential cost numbers. Time to get familiar with some new acronyms like NPV and IRR.
If cost of improving security is the top barrier in today’s environment, then end-user laxity is the top issue. Nearly one-third of survey respondents say that the issue that causes them the most concern about potential security breaches is simply that end users are inadequately trained on proper security procedures, or are just unconcerned about the consequences of their actions. Neither of these situations can be cured by security products with more cryptographic code.
Security professionals have recognized for a number of years the importance of creating comprehensive security policies and procedures, and generally have done a good job of documenting them once created. Where they often fall down, though, is getting the people who are on the front lines to actually read and follow them. Simple dictums and other one-way efforts are likely to be ineffective.
Putting together a highly effective program that will educate users to proper security procedures—and create the types of incentives that will instill those procedures into everyday activities—requires knowledge of both educational theory and psychology. Plastering posters around the workplace won’t stop the writing of passwords on sticky notes left in plain view, nor will they be adequate reminders when that person on the other end of the phone line just really, really needs a record of his transactions last month. Enabling employees to recognize potential security holes requires lots of hands-on training and constant reinforcement. Not the favorite activity of your typical security savant.
So the bottom line is that building information security is not much different than most other business activities. Its value to the organization must be proven in order to be funded, and wishing for cooperation is no substitute for active programs. The truth is, nerdiness is no longer the only characteristic looked for in a security MVP candidate. The security stars of tomorrow are going to be equipped with a financial calculator and a copy of Psychology Today—as well as a can of Red Bull, just in case.
Rick Blum is senior manager of strategic marketing at INS, a global provider of business-driven information technology consulting and software solutions based in Santa Clara, California.