What’s Wrong With Information Security? Part 1

Information Security is key to your organization's successWhen you research the challenges and struggles that organizations are having with information security, you can find an abundance of answers. In the first few minutes I found a three different lists that claim to have found the “top” problem areas along with a wide variety of opinions, statics and justifications to back them up. These lists talked about mobile security issues, cloud migration, Distributed Denial of Service (DDoS) attacks, APT, State-sponsored espionage, and the new famous buzzword “Big Data.”

No offense to the authors of those lists, but what about the everyday problems that companies face? For example, the number one issue listed by SC Magazine for Top 10 Security Challenges for 2013 is state-sponsored espionage. Is that a risk? Sure it is, but what about the malware that employees open because they got an e-mail on Aunt Betty’s new recipe?

The problem with Information Security today is people, plain and simple. I have had the opportunity to speak with many clients at many different points in their information security maturity. The one thing they all have in common is that most of their problems come back to human issues, not technical ones.

Why is this? In many organizations, IT managers are purchasing hardware and software solutions, not people solutions. Rather than creating policy documents and implementing processes, they are buying a box and plugging it in.

A great example that comes to mind is a personal experience. I have one client that spent $4.2 million on a network access control system. Sounds promising, right? When I was on-site for the assessment I discovered they hadn’t looked at an alert on the console in over six months. Not so promising.

If you had 10% of that amount you could hire a really nice staff and a consultant to develop an information security program. That program would include policies, procedures, configuration standards, and security awareness training. Then that staff could then be used to implement said program then monitor the network and systems for malicious activity.

So which is more effective, spending millions on a network system and never looking at it or spending a fraction of the cost to have someone monitor it for you? Personally, I’ll take a person over a box any day.