Until the last few weeks, Information Security Managers the world over have been struggling along as always, doing as much as they can possibly do with often limited resources and uncertain support from the rest of management. Suddenly, inadequately controlled risks in the finance sector have triggered an
economic meltdown that affects us all. It's a classic "something else happened" scenario beloved of
contingency planners everywhere.
Given the global financial crisis, it's likely that information security budgets (along with all others) are going to be stretched taught for a while. So what is the best way for us as information security professionals to rise to the challenge?
I've already seen some pundits taking the line that information security is 'essential' and can't possibly be cut. Attempts to justify information security expenditure on cost-benefit grounds are tricky at the best of times. While I personally enjoy the ongoing discussion around Return On [Security] Investment, the fact that we as a profession haven't pinned this down as yet implies that our arguments are not nearly as clear-cut as we would like to believe. In a global economic downturn, I doubt this kind of approach will succeed. Important budgets
will be cut. Good people
will be laid off. Pet projects
will be cancelled. In this mode of thinking, security (like risk management) is an inherently negative concept and a tough sell: people hate having to spend on something that might never happen so when times are tough, information security is inevitably a candidate for the chop. Being the prophet of doom, issuing dire warnings about the potential outcome of security budget cuts and the need
prioritize security spend, is perhaps not the most effective response to the crisis. Even managers who accept that security is 'essential' face equally valid demands on the organization's resources from other 'essential' activities. Arguing the toss over which is the more 'essential' is simply not helpful and makes no friends.
An alternative is for us to work with management to make changes that 'create the least harm'. I'm talking about us accepting that cuts are inevitable but we should be managing the information security function to obtain the best possible value from the diminishing resources we have - not for our own selfish needs but for the organization as a whole. Perspective is important! Information security is a means for the organization's ends, not an end in itself.
Overt and deliberate alignment with corporate priorities, initiatives and missions has long been a successful strategy for information security and I see no reason to doubt it now. The trick, though, is to realize that those corporate priorities have almost certainly changed since the financial markets took a tumble, and change creates both risk and opportunity.
For example, we know that job losses and budget cuts throughout the organization put employees (staff and managers) under extreme personal stress. In such circumstances, selfish behavior is a typical human response. People who are being laid off sometimes feel justified in taking "what's rightfully theirs", which may well include intellectual property and IT hardware. Workplace security is an important consideration, and information security is
part of the solution to the insider threat.
Likewise, commercial competitors facing financial hardship are likely to be more aggressively competitive than ever. They may be tempted to exploit vulnerabilities in suppliers', customers', partners' or competitors' information security controls to gain the upper hand in sales or merger & acquisition negotiations, for example. [Note: I'm not proposing or condoning the use of aggressive information security techniques. Eethics still have meaning and value, even in a crisis.]
Aside from such generic scenarios, we need to be fully engaged with senior management, actively participating in the strategic discussions around What Must Be Done Now in order to spot and respond to specific risks and opportunities as they arise. Returning to the contingency planning point I made earlier, we ideally need to be part of the crisis team or at least to be able to influence it through information security's friends in high places.
You do have friends in high places, don't you? Either way, now is a great time to be out and about, talking to managers throughout the corporation about their objectives, their worries, their needs. Strategic alignment doesn't often happen by chance. Creative managers make their own opportunities.
More...
10-12-2008
