One of the key reasons why Information Security is often poorly aligned with the business is the ‘siege’ mentality trap that Information Security practitioners have a propensity to fall into.
Let me explain this point through a quick story:
Some time ago I was contracted to coach and mentor a person in a newly created Security Manager role. I would approach these sessions with a combination of structured learning and guidance on managing hands-on, real world problems present within the organisation. The combined theory and practice approach was working well, however we ran into an unexpected hurdle.
After a few weeks, I was asked if I could assist on some pressing security issues. Gradually our focus shifted to solving these issues and structured learning became a secondary priority. Sure enough, as the weeks progressed, more and more pressing security issues emerged, which drew focus away from our training. The person I was coaching was keen and capable, but clearly felt that he was being measured by how quickly and effectively he resolved the emerging security threats. As he became increasingly absorbed in issues, he completely lost focus of the basic principles of security and stopped the training altogether.
The most frustrating aspect to me was that he didn’t realise that he was simply putting out spot fires without understanding which blazes were most relevant to the organisation. It reminded me of the old saying − when the woodcutter’s axe was becoming blunt, he couldn’t stop to sharpen it as he had too many trees to cut down.
In this case, the trainee fell into the all too familiar and reactive ‘siege’ mentality. He was very busy, he felt important, and he believed he was adding value. His manager knew no better. Unfortunately, the reality was he wasn’t spending his efforts in the right places and the value he was adding was well below what it could have been.
You may think that this problem is limited to smaller, less experienced organisations, however in my experience, even the largest organisations with considerable Information Security budgets are falling into the same trap. In an attempt to counter the sheer volume of incidents they are exposed to, many organisations are creating teams of Fire Fighters, with very little resources set aside for fire prevention and prioritisation.
Of course we cannot fully prevent all security issues, we can prevent some issues from occurring and prioritise the issues that do occur based on the impact they have on the organisation. Using tools such as Data Sensitivity Analysis and Control Matching, you will be able to identify:
- The highest priority areas to apply limited ‘fire prevention’ resources; and
- Which fires can be ignored and which fires need immediate attention.
With this approach, even scarce resources will achieve the highest protection value for the organisation.
Have you taken the first step to ensure your Information Security investment is confidently adding value to your organisation? Give one of the Linus team a call today, to discover how you can effectively kick off this process.