Resources for Information Security: A Constant Struggle
Many of my friends (as well as myself) are chief information security officers (CISOs). Whenever we talk, the topic of resources for information security (or, more precisely, the lack of resources) seems to come up. CISOs who have served in this position for a while get a kind of gut feeling concerning the level of resources needed to reduce information security risk to an acceptable level. Inevitably, the amount they request never matches the amount needed. Information security professionals are constantly struggling to obtain a sufficient amount of resources.
How much is enough? There is no set answer to this question, but a good starting point is determining how much it costs to reduce residual risk to an acceptable level. No precise way to determine this exists, however. The best that a CISO can do, therefore, is to make an educated guess, something that may prove too imprecise for MBA-educated, numbers oriented senior managers. Another possible approach is to look at the amount of funding allocated to information security practices in other organizations, especially peer organizations (e.g., in the manufacturing arena, the financial arena, and so on). In the IT security receiving three to five percent of the overall IT budget is not uncommon, except in the financial arena, where receiving seven to nine percent of the overall IT budget or sometimes even more is not unusual. This amount of funding generally allows a CISO to hire a reasonable number of information security staff and initiate and/or maintain several projects designed to better control risk in areas such as user identification and intrusion detection/prevention. At the same time, however, it still leaves the CISO frustrated because of knowing that some potentially serious risks are not being adequately addressed because of lack of funding.
Too often the lack of information security resources can be attributed to failure to “make the sale” to senior-level management. As I have discussed in previous blog entries, senior management is likely to be naïve regarding information security-related risks and thus disinclined to invest much in addressing these risks. “Mental accounting” often occurs—in the mind of too many senior managers, ten thousand dollars spent on information security seems like more money spent than ten thousand dollars spent on a new business initiative. Getting senior management to hop aboard the information security bandwagon, is the best solution, but doing this is no easy or quick matter.
In the absence of sufficient resources, CISOs simply have to do the best they can do with the resources that are available to them. Certain initiatives will invariably have to be scuttled or cut back. The information security steering committee is likely to be able to offer wise counsel concerning initiatives perceived to be of lower priority and thus that are better candidates for shoving to the backburner. Additionally, effective CISOs leverage resources in related areas such as physical security and network operations to get some tasks done despite a lack of information security resources. Building highly cooperative relationships with managers in these areas is thus imperative. Outsourcing may also help in reducing expenditures somewhat, leaving some resources available for other initiatives that might not otherwise get underway. Automating functions such as log inspection and user provisioning may also serve this purpose.
Information security professionals may perpetually complain about the lack of resources available to them, but the fact of the matter is that even in good economic times, there is likely to still be a funding shortfall in information security. Face it—information security is just one of many proverbial mouths to be fed in a typically organization. What is really important, therefore, is not to despair and complain that too few resources are available, but instead to view managing an information security program well on the resources that are available as a challenge to be relished. In my mind, the CISO who views the problem in this manner and manages available resources accordingly is one of “the few, the proud,” the type of person who is most deserving of professional recognition.