OK, so how to get there. We'll lay out some steps later, but there are five larger roadblocks to address.
>> Multiple parties vying for power, opportunity, and relevance. Risk management crosses many fiefdoms: CIO, CISO, compliance officers, even internal audit, insurance, and legal all want a stake. Meanwhile, the security team doesn't own the risk lexicon. Don't try to dazzle colleagues with jargon; engage them and leverage their experience and expertise.
>> Limited success and confidence from the organization. Security teams have been slogging along for years, straining to be heard and respected, yet compromised systems, data loss, and perimeter breaches are still common.
Companies that should know better deploy systems and devices with default configurations, run old and vulnerable versions of operating systems, can't manage to patch critical systems, and have no secure application coding policies. Consider our survey responses when we ask how effective security programs are: Only 10% rate their programs excellent. Thirty-eight percent select generally satisfactory, and the remaining 52% go downhill from there.
The information security officer for a state-level government law enforcement organization reflects on this malaise: "General thinking in management is, 'It has never happened before, so it won't happen in the future,' and, 'If it does happen, no problem as long as it doesn't happen on my watch.'" This law-enforcement group, which has more than 5,000 workers, employs one lone CISSP.
>> An inability to develop and execute on a vision. Maybe you think you don't have time to do strategic planning. Often, companies don't expect it of CISOs and security managers, so they have not gotten in the habit of thinking long term.
>> A perception of security teams as combative and obstinate, prone to slinging fear, uncertainty, and doubt to force change. There, we said it. Always pointing out your technical superiority and the problems your users cause is no way to build camaraderie. We haven't driven everyone away--64% of survey respondents say business executives and IT are either fully or generally in agreement on risk management program priorities, activities, and value. Just 4% say those groups are at loggerheads. But it's not just the CEO you need to win over. Alliances are at the heart of risk-based security.
One of our clients has long struggled to do regular information security assessments. It's a sensitive subject--systems aren't as stable as they should be. The IT team already works six-day weeks, and there were no known compromises to force the issue. Finally, the security team allied itself with the audit group, aligning its responsibilities with a critical area of concern to the business. Security was no longer the lone shepherd crying wolf.
>> The security technology landscape isn't helping our cause. Standard defenses like antivirus software are ineffective and expensive, Web application firewalls require security teams to know as much application logic as developers, and a parade of new end-user devices and computing paradigms only adds to the problem. Take the iPad and smartphones. They've become standard gear for sales teams, but mobile device management policies haven't kept up.
Under the old security model, sales executives were expected to get clearance before letting their staffs upload sensitive information, like price lists, to mobile devices. But we all know that isn't happening. The cloud is another example of how rapid change is outpacing our ability to ensure security. Forget putting the brakes on; mobility and cloud services are seen as bringing competitive advantage. Maybe the risks involved are worthwhile, maybe they aren't. It's not your job to decide. Your job is to be a trusted adviser, providing the risk analysis that will let business leaders make informed decisions.
We've faced power struggles and technical roadblocks before. Smart infosec teams will see this period of transition as an opportunity to reengineer themselves and their organizations.
If it sounds like we're telling you to embrace turmoil, you're half right. But here's the flip side: A risk-management-centric security strategy can be a vast improvement over how we're living today. Imagine that instead of fighting to be heard, you're working with the business toward a shared vision. That can't happen until you have a coherent way to set policies and select technologies.