Security’s Shaky State
// December 6th, 2005 // No Comments » // Security & Privacy, Technology
Information Week has an article discussing the perennial shortfalls in IT security staffing and budgeting. Few departments would argue they have adequate staffing and resources to do the best job they can, but I have to concur that IT security has had exceptional difficulty conveying to managers the ROI of preventative security measures.
To security people, the value seems obvious. To managers, it’s overhead — a dollar that’s taken from higher profile projects or new product development and they want to spend as little as possible to get by.
I’d say over 80% of the security consulting I do is after a major compromise or data loss event. Despite my best efforts to the contrary, companies often can’t stomach that a problem might arise until it’s in their face and their fighting to save customer relationships and their own jobs.
Security pros are constantly fighting fires in a culture of enumerating badness, which I’ve discussed previously here.
Clearly some corporations have complex and sophisticated security infrastructures to protect their critical data, systems, and networks. However many small and mid-sized companies have to stretch scarce IT dollars far, and security rarely gets a share of the pie in proportion to the demonstrable risk of exposing corporate IT assets to compromise or loss.
Further, security pros not skilled at communicating the company’s exposure may find themselves scapegoated when the house of cards collapses.
From the article:
“Managing expectations is important for handling staffing inadequacies, Clissold says. It’s vital to define what should be expected from IT security groups–and what they expect from management–to deliver an expected level of service. Security managers must know their business and be innovative and resourceful.”
My best advice to security pros who find themselves underfunded or under appreciated is: have good backups. This is something that is typically within IT’s budget and control and I’m always shocked to find customers who have only rudimentary or even no backups in place. I recently ran across one company who lost customer data due to a system compromise and had no backups. They were able to recover the data thanks only to the existence of the Google cache (!!!).
Over time, data will inevitably be lost — whether to compromise, disk failures, or inadvertent deletion — and backups are the only thing that will get the data back.
Well, that or the Google cache…. Which will you depend on?
Read more at Information Week.
