Sliding IT security priorities put enterprises at risk

I read somewhere about the government’s intent to increase budget allocation towards fighting and creating cybersecurity awareness. The link was hidden somewhere towards the bottom of the newsletter; quickly I clicked through to read word by word the good news and realized that it was indeed true ! The chart showing CAGR was quite impressive with the trend line going north; then I looked again at the Y axis to find that the investment per annum was so low that the entire news was like actually too scary to be funny.

Not too long ago when I wrote about Creating Secure & Safe Enterprise, many CIOs and CISOs wrote back with their personal experiences; most of them agreed that their realities were reflected within. Some of the interesting facts that emerged is that budgets were a challenge, but then not really a challenge when an incident occurred. With corporate focus on short-term goals and measurement of tactical performance, the biggest challenge that everyone unanimously portrayed was that of sliding priorities with security settling close to the bottom.

Why is security investment such a drag when it comes to budgeting and spending ? Why do enterprises and with that I imply the CXOs who collectively represent the Management believe that they don’t really need to invest in protecting their information assets which are family jewels in most cases ? What creates such a lackadaisical attitude towards creating process, policy, and implementing tools that provide a secure framework to do business despite the fact that threats are increasing and businesses are losing customers, revenue and credibility !

Everyone agrees in principle that security is a must; they (the CXOs) espouse this in conferences and project themselves as the messiahs of information protection and security. When one such leader was asked pointed question on the budget allotted, he sidestepped the question deftly instead talking about how the industry needs to up the ante. The lip service that ignores the elephant in the room is beginning to hurt enterprises. The cause for such an attitude towards keeping the doors and windows open has to be deeper.

I am not that big and not an attractive target for anyone ! Why would any hacker want to breach our security ? Our customer data is locked up on one computer and only two people have access to it; they are both trustworthy. We don’t have anything worth stealing, so why would anyone compromise our systems ? We know internal threats are higher than external, we have information distributed across multiple solutions, so no one can decipher the full picture; we have locked USB, installed anti-virus and firewall, isn’t that enough ?

Is lack of awareness or education creating a false sense of security and complacency ? Or is it a belief that such things happen to others and I am safe ? Is CXO ignorance and indifference an acceptable proposition towards defining the security posture of an enterprise ? When you live dangerously sooner or later an adverse incident does occur and that is when the scapegoat syndrome always ends up pointing fingers at the CIO or the CISO, and/or the service provider. Breaking this paradox is the need of the hour for enterprises.

No one wants to fall sick or die but everyone takes health and life insurance ! Investments in security are like insurance to protect the business. Physical security has seen this paradigm shift with electronic tags and biometric solutions becoming the norm. With the number of threats increasing and new ones emerging, the education of CXOs is not just an imperative but an urgent need. CIOs, CISOs, Internal Audit, and Risk Committees have to own up the information protection agenda and drive it with their collective might.

Using ethical means to understand vulnerabilities and fixing them should be high in the corporate agenda towards creating a safer digital enterprise. Customers and consumers are becoming sensitive to this fact and the probability of them taking their business elsewhere is beginning to happen. A safe and secure ecosystem is required for the extended enterprise including suppliers, contractors, partners, and customers. The writing on the wall is that companies who emerge as secure digital enterprises will be winners of the future.

Where are you ?