Recently I was having a conversation with a good friend of mine.  He is the Chief Security Architect for a datacenter.   He was sharing with me how frustrated he has become with how his projects have been prioritized within his organization.   He took this position after working as a consultant for 25 years so he is under no illusion about how security is treated within most organizations.   All the same it is nice to vent to friends and colleagues about how “management” just doesn’t get it. 

Things are getting better though.  Several recent surveys that I’ve read point to an increase in prioritization on information security issues and point to regulatory compliance as the key driver.  (The two that pop immediately to mind are the 2007 Global Information Security Survey conducted by Ernest & Young and the 2007 Privacy and Data Protection Survey conducted by Deloitte.) 

I suppose that we should be grateful for this increase in visibility but I can’t help but feel a bit cheated.  If this increase is really due to greater regulatory scrutiny then what that means is that the private sector is being forced to implement security controls because it has failed to do so prior to now.   We live in a world where data breaches are a daily occurrence and companies are making millions helping us “protect our identity.”  (Look for an upcoming blog post on that topic)

Why?

As many of us can attest, we have been warning management for years about security issues.  They either don’t listen or prioritize our initiatives so far down the project list that it is difficult to be anything but reactive   We can complain that they just don’t get it but honestly, it isn’t their job to get it.

Now before many of you blow your top on that last statement hear me out.  Management doesn’t get it because it isn’t their job to understand information security.  That is what they hired us for.  Our job is to understand the ramifications and then translate these ramifications into a language that management understands. 

Now I’ve been a consultant for over 10 years and as I’m sure many of you can attest, it is often much easier to say that we need to translate information security into a language that management understands than to actually do it.  Every organization is different.  Different personalities, different priorities, different agendas, etc.    What really drives an organization may be different than what the organization publically admits.   I’ve had some extraordinary successes as well as some extraordinary failures (all of them wonderful learning experiences).  It often takes time and some careful observation to zero in on what is important. 

In the coming weeks I’ll be posting a white paper on some of the research that has been done on how people view their world (both individually as well as being a member of a group).  This is based on some work that I started while studying for my Masters program.  It offers some interesting insights and I look forward to hearing your comments on the subject.

The end of the story is that while my friend was relaying his general frustration in how his projects were being prioritized in general, he was doing so in light of a success that he had in elevating one of those projects to a much higher priority. 

Until next time,

Graydon