Information Security: Protecting Your Future
Welcome to our four-part series on information security in business. We discuss security risks, managing an incident and preventing serious damage to your organisation while keeping your competence intact.
Using our extensive experience, we show you potential savings that come with a thorough security incident plan. We will also let you know what your Incident Response plan should consider and how best to maintain it.
Across each blog, we use our significant security expertise to guide you in making the best decisions when it comes to protecting your organisation.
Part 1: Change The Conversation From “If” to “When” And Save Your Business Significant Costs
Welcome to our first information security blog. Since the onset of information security wisdom, the conventional conversation between most of the information security roles I know and their business has been varying versions of the following theme – “Give me some of the IT and risk management budgets so I can buy differing sets of information security technology and services to prevent a security incident from seriously hurting our business”.
Budget and Expectations
Statistics point to the outcome of that conversation resulting in organisations allocating between 3% – 8% of their IT budgets specifically to Information Security. My experience is that typical C Level comprehension of this conversation is that this spend should provide a near bulletproof fortress for their organisations Information Systems and data. Unsurprisingly when a significant security incident then occurs, my experience is that C level reaction ranges from disbelief, indignation, denial and, in some cases, scapegoating of IT recipients for wasteful or ineffective spend of this budget. In fairness to C level – they are not entirely to blame for these mismatched expectations.
Plain English
When is the last time as an Information Security professional you have sat down with C level colleagues (during the limited windows of time you have their attention) and said in plain English – “I need a minimum of 6% of the IT budget to appropriately address our identified Information Security risks for the coming year. Just so we are clear, this budget – nor indeed any amount of budget, technology or services – will not prevent one or more significant Information Security incidents happening to our business in the short to medium term.”
From “If” To “When”
If we shift the conversation with the executive in our business from a vague “if it happens” to a direct “when it happens” in plain English then there can be no ambiguity. Statistics back up this “when” assertion. 43% of respondents to a Ponemon 2014 study indicated that their organisations had a data breach within the last 12 months, up from 33% in 2013.
Significant Security Incidents
A data breach is just one form of a significant security incident, with other events such as significant critical service outages (accidental or deliberate), significant malware outbreaks, data loss (non-disclosure) not being included in these figures. Statistics from the UK Department for Business Innovation and Skills show that when all major security incidents are counted, upwards of 81% of large businesses had a security breach in 2014. This is not a comfortable admission for an information security professional, nor is it an admission that an executive necessarily wants to hear. It’s easier to pretend that all is and will be okay and that our spend and efforts will ward off all information security ills.
Justifying The Budget
So how do we now justify the information security budget and our roles in light of the fact that we most likely can’t prevent a significant breach happening? Well you finish the last conversation with the business executive along the following lines
“and when I get that budget we will spend it on a mix of proactive and reactive security measures, technologies and services. This will prevent, detect, mitigate and respond to information security incidents when they happen on a prioritised basis in discussion and agreement with the business, our partners, our customers and our insurers.”
Our next blog instalment
We take a look at types of security incidents and what it takes to protect your data.