By Kevin Beaver, Guest Blogger, Lancope
Fairly often, I have friends and colleagues outside of IT and security ask me how work is going. They’re curious about the information security industry and ask questions like: How much work are you getting? Why are we seeing so many breaches? Are things going to get better? Given what’s happening in the industry, I’m always quick to respond with some fairly strong opinions. So, where are things now and what’s really need to resolved our security issues?
First off, based on what I see in my work and what I hear from friends and colleagues in the industry, I’m convinced that what we’re seeing in the data breaches and hearing about in the headlines is merely the tip of the iceberg. I suspect that there are three to four times the number of breaches that go undetected and unreported. I also see many IT and security shops merely going through the motions just trying to keep up. Putting out fires are their daily tactics. Big-picture strategies don’t exist.
In my specific line of work performing security assessments, I see people sweating bullets anticipating the results, unsure of how the outcome is going to reflect on them, their credibility and their jobs. I’m not saying this to speak negatively of the people responsible for information security. I just think it’s a side-effect of how IT and security challenges have evolved in recent years. The rules and oversight are being piled on. Ironically, in an industry that traditionally offers a strong level of job security, it seems that more and more people are concerned about that very thing.
A core element contributing to these challenges – and something that doesn’t get the attention it deserves – is a glaringly obvious lack of support for information security initiatives at the executive and board level. Sure, there are occasional studies that show that security budgets are increasing, however, more often than not I’m seeing and hearing sentiments along the lines of a recent study that showed the majority of C-level executives do not believe CISOs deserve a seat at the leadership table. So, it’s more than just budget. It’s political backing as well. This begs the question: who’s responsible for this lack of respect for the information security function? I believe it’s a chicken and egg debate-type situation involving responsibility and accountability on the part of both IT and security professionals as well as business leaders. I’ll save that for another blog post.
Politics and business culture aside, there are still many situations where all is assumed to be well in security when it is indeed not. The lack of visibility and data analytics is glaringly obvious in many enterprises, including large corporations and federal government agencies that one might assume really have their stuff together and are resilient to attack. In fact, I strongly believe that many – arguably most – security decisions are made based on information that’s questionable at best and this is why we continue to see the level of breaches we’re seeing.
So, where do we go from here? I’m not convinced that we need more policies. Nor am I convinced that we need better technologies. People are continually chasing down this rabbit hole and that rabbit hole in search of the latest magical security solution. Rather than a new direction, what we need is discipline. For decades, we’ve known about the core information security principles that are still lacking today. Unless and until everyone is on board with IT and security initiatives that impact business risk, I think we’re going to continue with the same struggles. I hope I am proven wrong.
Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC.