I was recently part of an AISA Discussion Panel on investing in Information Security. It was an interesting session, bringing together a range of perspectives on how to answer a very challenging question.
While evidence suggests that Information Security spend is very low – at around 4% of total company spend in Australia, it became clear that where your budget is spent is critical.
The overlooked aspects of Information Security
One panel member pointed out that Target in the USA, a high-profile example of poor Information Security processes, spent money on security control software but not on configuring, monitoring or managing it effectively.
Another panel member gave a chilling example of how a corrupted employee simply asked colleagues for their account passwords with an excuse of convenience and then used their accounts to alter sensitive data and provide intelligence to external groups.
Clearly, internal people and process issues are just as important as any technical aspect and are often overlooked.
One size does not fit all
The merits of the Australian Signals Directorate (ASD) Top 4 Mitigation Strategies as a solution were also discussed.
I can understand how attractive these may appear, providing comfort in the idea that a prescribed set of basic controls can reduce risks in your organisation to acceptable levels. But the reality is very different.
The consensus amongst the AISA Discussion Panel was that implementation is not straightforward and the results were well-short of an ideal solution. The Australian Signals Directorate (ASD) Top 4 Mitigation Strategies suffer the same weaknesses as any baseline approach – they are overkill in some cases and inadequate in others. Always remember, one size does not fit all!
Trend: Senior Management are completely unaware of their IS spend
The Panel also discussed an even more concerning trend where CIOs and other senior management often do not know how much they spend on Information Security.
There is also a complete disconnect in terms of ROI on security initiatives.
As the conversation progressed, it became clear that Information Security decisions are being driven largely by IT groups with little or no knowledge of the business context or value of what they are doing. They simply don’t understand how to put Information Security into business terms to start the right dialogue.
But this isn’t for lack of trying.
Audience members clearly were passionate about doing the right thing, but are struggling to have the right conversation. Perhaps they feel powerless to ask The Business or simply don’t know what questions to ask.
Don’t become part of the problem
I was concerned for the Information Security professionals in the audience who appear to be bearing the entire responsibility for security decisions, not to mention the inevitable fallout when things go wrong.
I also had the impression that many in the audience were inhibited from moving down a new path due to cultural or management barriers. Perhaps the flea in the jar analogy is appropriate to describe how people that don’t stop and question the process can end up sealing their own fate and becoming part of the problem.
How much should you spend on Information Security?
The path to solve this problem is relatively simple. You need to look at Information Security from a data-centric viewpoint instead of only thinking about the threats.
The Business conversation needs to start with data sensitivity and practical outcomes before making any security control decisions. Once you have identified your most sensitive data you can select and implement the most appropriate controls for optimal protection. Of course, this doesn’t preclude implementing basic common-sense security controls in the interim.
Only then will you be able to determine the optimum amount your organisation should spend on Information Security.
Still struggling to view your organisation’s Information Security spend from a data-centric perspective? Contact me directly on +61 3 9017 2119 or ask a question through our contact form, and I’ll happily provide more tailored advice for your organisation.