Why is organizational spend ineffective at reducing information security risk?
In this InformationWeek article, Mike Fratto discusses some reasons why even though 95% of IT security groups see their budgets either hold steady or increase this year, over 65% of them say that their organizations are at greater risk. Mike asks “Since when is `no worse than before’ an acceptable return on investment?”
This is a message that Information Defense Corporation has been carrying to our clients for some time.
Our collective experience shows us that all the money organizations pour into security technology and technology focused assessment and control adds little to no value to the organization and little support to its overall mission. We educate our clients to take an “asset focused, risk informed” approach to managing information security risk.
One point Mike makes in the article, that “IT needs to go against the grain and train itself to focus on the value of data and the likelihood it will be compromised, rather than on how a compromise might occur” is absolutely critical. However this is very difficult to accomplish, not only because of the nature of how IT leadership and staff tend to approach problems, but because there is often a significant disconnect between IT and the rest of the organization when it comes to how the information (not “data”) is valued. Often IT does not have a clear understanding of the value of the information asset (rather than the technology asset) to the business and to the potential threat sources.
A key issue the article does not address, and that Information Defense believes is a major roadblock in effective information security risk management, is the almost total lack of oversight of, and visibility into, this risk by senior level executives and boards of directors. All too often we see these risks dismissed with the attitude of “our IT guy has got it covered” when in fact there is a huge disconnect.
One of the primary responsibilities of senior executive staff is managing risk to the business assets. Over the last 50 years the ratio of tangible to intangible (information) assets of companies has inverted. Most of a typical companies assets are now intangible, yet the risk management practices have not changed to reflect that situation.
This lack of oversight has not been helped by the typical positioning of the Chief Information Security Officer role within the IT organization. Among other things this clearly communicates the philosophy of security as a technology problem, which is short sighted. Further, it means that only a technology solution can be brought to bear.