Have InfoSec Professionals Failed?
I commented on a recent LI post asking whether the rise in cyber breaches are as a result of insecurity due to failure of InfoSec community to adequately protect their organisations.
It's not the fault of security professionals per se. It is a result of the dynamics between the accepted need for security and the need for simplicity in interconnected information sharing. Most businesses place an emphasis on the latter even if (and it often does) come at the cost of the former.
There is also a marked lack of skill in InfoSec professionals to be able to help their organisations find the balance where both can be achieved. This is because the InfoSec community is polarized between those who are IT tech savvy (and who consider management to be a necessary evil) and those who are Management only with no prior experience of the technical world. This latter group is great at learning acronyms and shamming true knowledge but when challenged to find the balance between utility and protection they cannot themselves and the techies they manage will generally tend to err on caution and not appreciate the business imperatives. So the result is bad experience by the business and resulting bad press (more likely whisper campaigns) for the InfoSec team.
In my experience, regardless of the nature of a business; government or commercial, there are three types of 'cyber risk management' organisation.
The first (circa 20% of total) are those who don't really invest in Information Security at all. I have risk assessed household name corporates whose Executives tell me that InfoSec responsibility is "shared" between them meaning they don't need a defined InfoSec Officer! I have one word to describe this lame excuse...Bull.
The second type of organisation (circa 70% of total) pays lip service or has some small investment in InfoSec; usually an IT security function as part of the IT function. In these we find InfoSec Officers with little real skills and competence who are usually in role as a result of 'sideways' assignment. You find a lot of poor project managers in these roles. Many try their best and implement some degree of process but when it comes to the crunch they are usually required to accept that projects will 'go-live' without reaching minimum acceptable levels of security. In these organisations a risk management process is either poor or non-existent and information ownership doesn't really exist. Business execs don't usually even know the names of those responsible for information security.
The third type (remaining 10%) really do take InfoSec seriously. Usually demonstrated by InfoSec being a board role or only one degree below the Board with direct and regular influence. Executives here are engaged, not so much in InfoSec, but they are connected to the types of data their organisations own (process, store and share) and to the risks pertaining to those data assets in order of criticality. They see cyber risk management as an informed set of decisions around the most effective balance between mitigation, transfer and avoidance so that what they accept is a result of maximised efficiency; supporting both opportunity to make or save money/deliver services & product and to prevent loss.
So, in short, if anyone is failing it is business leaders (commercial and government) for not being able to even name what is important to them. Suitably skilled InfoSec professionals are either enabled or prevented by these business leaders from doing what no shortage of good advice and standards recommend. Business leaders are only now waking up to the fact that their organisations are all digital and they will only be successful at managing business risk if the support for skilled and professional security and risk specialists is forthcoming.