Incremental security improvements require attention to people, as well as technology
Tuesday, August 4th 2009 @ 7:46 AM (not yet rated)
I believe it's true that you can initiate a self-funding security program. But in this SC Computing article by Chris Sullivan (click HERE), an assumption is made that it can all be addressed with automation (or technology). This is really misleading. It's a big assumption.
The article explains that IT managers face big challenges in negotiating with CFOs (or other executives) for a big, lump sum investment in security that will have a payoff later. Instead, Sullivan points out that it can be more effective to paint a picture of incremental improvements that generate small, but significant savings, with which you can re-invest in the security program.
The very reason that this article is useful also gives a number of clues as to why it is a bit unrealistic, in its current form. In other words, I'm taking issue with the fact that no mention is made about the implications of what really happens after you successfully negotiate this plan.
- Savings from security will not show up as a statement of credits and debits in your inbox. If you had been historically working with a budget for "contingency costs", you may see that it is not as overdrawn as it would have been, had security improvements not been implemented. So, what will you have after the first iteration to re-invest in the next phase of security? My guess is, diddly-squat. If you never had a contingency budget, you may not even be able to find the incremental cost savings from security improvements. You will need to look for innovative ways to measure those incremental cost savings, too.
- The article never mentions the impacts this kind of plan will have on the organization's culture. Even small changes in security programs, such as changing password policies, without an initiative for educating staff on why they are important, and how to secure the manual processes in their own workflow contexts, will often result in unofficial "workarounds" by staff, in a reaction to what are perceived as unnecessary barriers to productivity.
In general, I actually agree with Chris Sullivan's approach of leveraging new technologies that can improve audit and measurement, and therefore, make it more practical to do incremental security improvements. Furthermore, it is good to do things in a way that will make it more palatable to the person with the purse-strings.
But I really think that managers will be disappointed and frustrated by the results of this process if they do not address the cultural and workflow issues in the non-technical aspects of their business.
Quality improvements in workflow can also be measured - sometimes with automation, but sometimes it requires manual effort. Workflow quality improvements can also result in security improvements, and are almost always a consideration in any technological improvements in business processes.
How is your business measuring ROI for technology, security and workflow improvements? What do you think it will take for this approach to work?
| Share | My live security awareness webinars are a quick and affordable way to provide your entire staff with professional quality security awareness training and education - whether it's general training or for specific teams or industries. I offer group rates and can tailor content to your specific needs. Please call or email me at the coordinates below, or CLICK HERE to see my training webinar catalog.
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 |
