You are faced with an insurmountable problem: Your job requires you to keep the business secure from external attacks, and you must take action to deal with the threat from malicious insiders. It is your responsibility, and your job may well be on the line if something goes wrong and data is stolen, or your network is infected with a virus or malware.
Unfortunately, you have not had a budget increase and cannot afford to purchase the software solutions necessary to protect your business from attack.
This is a problem faced by many IT professionals. Management understands there is a risk and knows the risk is considerable, yet they expect you to work your magic with your hands tied behind your back.
You are not a magician; so, if management wants to be properly protected, it is your job to convince the powers that be that you need a bigger budget. We know you have already tried this. What you therefore need to do is improve your communication skills. You need to find a way to convince the management that additional funding is absolutely essential. One of the best ways of doing this is to explain that security risk is actually business risk.
You are not alone – 50% of IT professionals work with inadequate security measures
IT department funding is almost always limited. It is not possible to purchase the highest quality equipment, the best possible security measures, and have enough staff members to perform all of the required work. So if you are stressed, are suffering a critical lack of funding, or are desperately understaffed – you are not alone.
The situation has recently been assessed by the Ponemon Institute. Its latest survey probed IT security professionals and asked them about the level of security in their organization. It would appear that when it comes to cybersecurity protections, the management and IT department heads are often not on the same page.
The survey was large. Over 5,000 IT professionals send back responses to the survey and more than 2,500 of those respondents said their cybersecurity measures were inadequate. The problem for many was the fact that the upper management simply did not understand just how important it was to improve network security. Sure they understood there was a risk of attack, but they didn’t understand just how serious that risk was.
If a cyberattack occurs, it is their fault right? Unfortunately, you may have explained risk until you became blue in the face, but how well did you communicate?
A survey conducted two years ago by Ponemon suggests that when it comes to communicating with management, IT security professionals often have problems. In fact, 64% of IT staff were discovered not to have effectively communicated the seriousness of the threats, or had only started to communicate them properly following a data breach. Nearly half of the IT professionals taking part in the 2013 survey said communication between the IT department and management was “poor, nonexistent or adversarial”.
IT budgets rarely reflect the seriousness of security risks
When budgets for IT security are calculated, they are rarely sufficient to allow all risks to be effectively neutralized. Spending is often misaligned with the needs of the business. According to the Ponemon study, only 11% of the average security budget is devoted to protecting the application layer. Interestingly, 37% of organizations believe that the application layer poses the businesses threat to data security.
Why is this the case? According to Larry Ponemon, founder and CEO of the Ponemon Institute, it is because management has not been provided with the right information. He says that few organizations have actually performed a full security audit and that security risks have therefore not been identified. As a result, management is not aware of the level or risk, and budgets are not set accordingly.
Any organization that fails to invest in IT security is likely to have to cover far higher costs in the long term. Take Target for example. The money spent on resolving its data breach is far higher than the cost of implementing solutions that would have prevented the attack from being possible in the first place. The company now has to cover the cost of data breach resolution, in addition to investing in better security. The expected cost of the Target data breach is expected to top $1 billion!
If security intelligence technologies are implemented, companies are much better equipped to detect intrusions and contain attacks when they do occur. According to the study, the security breach resolution cost savings are, on average, $1.6 million less when security intelligence technologies are implemented prior to a security breach occurring.
IT security should not be an afterthought. Proper investment will see more security breaches prevented and the cost of resolution significantly reduced. It is therefore essential to communicate the need for investment. The most effective way to get your voice heard is to provide facts and figures to back up your argument and to explain security risk in the context of the financial cost, operational problems that will be suffered, and the likely damage to the company’s reputation if a breach is suffered.
Security tools are not cheap. Understand the business drivers that generate the funds that will cover the cost of security software and become more effective at communicating credible risk. Give management the information it needs to understand why greater investment is needed. You are then likely to be given the funding you need to effectively manage security risk.