In the process of preparing for a data security meeting next week, I have been asking myself, "Why is it so darn hard to convince those who control the purse strings to spend money on security?" If you talk about data security to most people they will nod their heads in agreement that it is an important issue, but if you then press them on policy or budget you get stonewalled. Why is that?
The answer to that question is that data security or its lack does not provide a tangible, immediate threat to most people, and it is only when they are directly affected that it becomes a burning issue for them.
People often refer to security measures as insurance and use the term "risk analysis" when talking about security. Yet the lack of personal loss makes data security a harder sell than life insurance! At least when a person is considering life insurance, they know they are going to die at some point. It's a certainty. The same might be said for homeowner's insurance -- those who buy it know they need to make sure their largest investment is covered in case of a disaster, and most people would consider the destruction of their home a personal loss.
But who gets hurt in an organization if a data breach occurs? The CIO, the Security Officer (if there is one), and maybe the CEO, depending on the size of the breach; the victims, of course -- or maybe no one at all! We have seen over the years that the repercussions for losing data are usually not that severe as far as many organizations are concerned.
This of course leads to the gambling known as risk analysis -- where one or more individuals in an organization get to decide whether paying for prevention and enforcing policies and procedures is "worth" it. They weigh the risks of a possible security breach against the possible repercussions of said breach.
Most often, it is not the CIO or security personnel who get to make the decision. Yet, they are the ones who are held accountable if an event occurs. This is why data security is often driven by IT, even though other areas of the organization really should champion it.
So how do we, as IT personnel, manage to get adequate funding? I believe there are several ways of doing so:
1. Communicate. Make sure that other organizations that are experiencing data breaches are pointed out to your decision. The more often you can put the issue in front of them, the more they will be attuned to it, particularly if the breaches are in the same industry as your own organization.
2. Get your IT governance body behind it. This is not an issue you should be pushing alone. Get help from the rest of your organization.
3. Make it personal. Security is behavior as much as it is technology. Push for data security policies and procedures that have teeth. Some people are conscientious by nature; others need to be motivated by consequences.
4. Educate. Again, tying back to behavior and communication, we have to get the word out. Just like with sexual harassment and diversity training over the years, our organization's employees need to be continually exposed to security issues and the policy and procedures that govern them.
5. Legislate. Communicate with your legislators at all levels regarding the penalties for losing personally identifiable information. Let them know that the penalties need to be significant in order for people to stand up and take notice. Why do you think there was such fervent activity regarding the Sarbanes-Oxley Act? The legislation has teeth and the CEO of organizations impacted by the act must sign on the dotted line that their organization's financial reports are "sound."
6. Work incrementally. Unless an organization experiences a breach that causes it some pain, in which case purse strings suddenly loosen up, data security is something you are going to have to do incrementally. Build a framework for where you want to be and work your plan from there. Security is difficult to build over night.
7. Make it part of compliance. I might sound like a broken record, but there is a reason I keep touting the benefits of choosing an IT framework and compliance and certification. If security is part of your "score card," it is easier to sell if you are getting "dinged" because of it.
8. Auditors are your friends. No organization likes to be pinged on audits. Help them to help you make your case.
9. Perform the risk analysis yourself and make your case for it. Since you are probably the one who will be sacrificed in the event of a significant breach, do a thorough risk analysis. Yours will probably be more comprehensive than someone not familiar with IT.
10. Think out of the box. There are creative ways of mitigating risk in an organization that you probably have not considered yet. Look to other industries and see what they are doing and whether it would fit your organization.
While it can be frustrating to us because we think that data security is a "no brainer," it is not that different from the other un-sexy things in IT that we have to work for to get funded. Doing the things above will help to change minds, both inside and outside your organization -- and at the end of the day, I would still rather sell security to my organization than sell you a life insurance policy. To me, IT is a lot more fun <g>.