Here is an interview I did last week on the current lack of alignment with IT Security (the People's Republic of IT Security) and business priorities, I would say that IT Security has achieved the $2,000 screwdriver:
< snip > Question: Is the realignment important? Peterson: I think it is a big deal. I really think IT security is out of control; in many cases, they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000. If you look at the numbers objectively, you see why it is out of control, and you can use the investing habits of the business to improve the situation
This interview was prompted by an earlier post on network security budget cruft. Investment is a big deal. There is innovation in app and data security, but there could be more if IT security invested their money with the same priorities as their business instead of searching for the nth feature on their network firewall.
If a company is putting in SAP or Siebel or whatever, you can bet the folks who run apps and databases are spending their dollars in developing and supporting those languages and databases, because that's where their enterprise is going. Meanwhile in the People's Republic of IT Security, you can bet there is an effort underway to find some new cops and robbers tool that watches where employees surf or yet another network firewall feature.
Update: Hoff annotates and provides additional insight.
In a lot of cases, I think we should turn our efforts first to re-aligning our processes before we go buy more technology. There is a lot of money you can save by tackling business issues first; many security issues stem from those and then you don't have to resort to building systems that fight what the business is trying to do.
Posted by: shrdlu | October 23, 2007 at 03:08 PM
It is due time to have IT-security people focusing on the business aspects of things. One thing are the spendings that is way out of proportions - another thing is the lack of interest and understanding of core business values of many IT-security people. Add to this the lack of interest of ICT and security from any white-collar, and there is no surprise we have this situation.
Business is about maximizing profit by acceptable risk. Not about minimizing or removing risk.
Any business professional is doing this every single day. What is needed is the IT-security guys to understand that they are only part of the security structure in the company, and that their purpose is to support the business processes.
I say that business people handles risk every day - they understand and rely on risk assessment and management to do their jobs. So they do understand the basics of security.
But do security people really understand business? Do they care? Or is their only interest to check out the new, cool features in the latest FW or NAC? If so, then, well, sorry, your job is to help the business maximize its profits - not to spend a lot of dollars by investing in the latest blue and red blinking diode device to stash in your rack!
If you get offended - well, sorry. Time to wake up, perhaps?
Now, I will have another cup of coffee and continue my day.
Posted by: Kai Roer | October 26, 2007 at 01:11 AM
Unfortunately, Corporate America thinks security is "alignment of policy".
Software and system designs are handled by the architecture group . . . in high-level "Go West, Find Gold, Avoid Danger" specifications. Then those documents are sent to offshore developers who make major technical design decisions - usually without parental control. Finally, those systems are deployed on servers and network infrastructure built by a third party (three-letter) vendor - usually without any legal responsibility for application security (development or deployment).
Ask how these systems are protected and you'll hear the "policy" chant.
In order to improve the security position we need to perform a review of production and the processes we use to bring solutions into play.
Policy is important . . . but the hackers really don't care about policy, or if you are "in alignment" . . . if you use inferior development, deployment or configuration techniques they will own you.
Posted by: MSP | November 18, 2007 at 01:19 PM