3. Engage end users. Whether an infosec program is successful or not depends 30% to 40% on user training and awareness, Shumard says. To put it another way, even with significant care and funding given to security controls and operations, IT still faces a one-in-three chance that an end user will cause a security failure, he says. Shumard relies on those IP coordinators to get the security message across, in team meetings and e-mails or through other means.
The bank e-business infrastructure manager says his organization mandates online training on a variety of issues, including information protection. The sessions are self-paced but tests are given at the end.
4. Assign ownership and accountability. Security messages carry greater weight when they come from the top. "If people get a message from a direct boss, it has more resonance than coming from some third-party security group," Shumard says. It also lets business leaders tailor security technologies and practices to the specific operations--and risks--of their units.
Meantime, the security group is there to support the business units. For example, if a unit contracts with a new vendor that will be handling sensitive data, the security team assesses the vendor and identifies risks and mitigation strategies before a contract is signed.
"We make it clear that the businesses own the risk," says Vanguard's McNabb. "We have groups such as infosec and compliance to help, but we want the businesses highly engaged." Executives also know that screw-ups get reported right to the top. "I see the report, and it's a pretty quick conversation after that," he says.
5. Write the checks. Only 16% of respondents to our survey say their 2009 security budgets will decline compared with 2008. Sixty percent say they'll stay the same, and 24% say they'll increase.
Of course, it doesn't hurt that security lapses have been in the news lately. The security analyst at the retail chain says that in the wake of news reports about the Heartland breach, his team has been asked by the CIO to go back and review the 2009 security budget, to see if there are gaps to be addressed. McNabb says it would be "penny-wise and pound-foolish" to reduce security efforts at this time. "There will be more clever and insidious attacks in this climate," he says. "We have overall budget constraints, but one area off the table is security."
Of course, not every organization has the resources of a company managing a trillion dollars in assets. But lack of funding doesn't preclude organizations from taking the previous four steps.
The retailer security analyst takes a Zen approach to corporate barriers to information protection. "When water flows downs a mountain," he says, "if it runs into an obstacle, it finds a way around it to continue on its course."