Task for security officers is budgeting for the unexpected

Listen to this article

00:00
00:00

If you had overheard any group of information security officers partaking in a drop of cheer this festive season, you would have probably heard them commiserating. Their departments are dangerously understaffed and underfunded; many think they survived last year as much by luck as by judgment. So what has happened to make their world so much worse?

First, the sheer number of threats to be protected against is surging and at the same time there has been an explosion in regulatory and compliance requirements that divert scarce resources from operational tasks.

Second, most organisations have not realised the sea change brought about by criminals moving into cyberspace. Current security systems were usually designed to resist attack from crackers who hacked as a hobby, rather than career criminals who have the time, resources and financial incentive to breach your security.

Third, resources are often deployed in the wrong place. Most companies’ security efforts are aimed at protecting their network perimeter and keeping the bad guys out. But in today’s environment there is usually no easily defined perimeter and resources would be better used building stronger security controls into applications and data repositories. This task is often exacerbated by the use of new technologies such as instant messaging and voice over internet protocol. They may be off limits today but will be embraced tomorrow without much thought about how they are going to be secured.

Most importantly, however, because information security is now recognised as a critical component of the enterprise and a significant area of expenditure, it is coming under increasing scrutiny from management.

Information security officers are expected to be business-focused and have the same predictive and methodical approach to expenditure as any other departmental head. Gone are the days when the in-house security guru could simply ask for security tools and get them without a detailed cost analysis. Budgets are expected to be forecast and monitored: which is to be encouraged so long as the budget is seen as being simply a tool for delivering financial propriety.

However, the security threats that have most impact on that bottom line often come from nowhere. Because they cannot be foreseen, they cannot be budgeted for.

Many financial institutions were slow to protect their systems and customers from phishing attacks because their security departments hadn’t budgeted for protection. Now they do, and many are providing devices that offer “two factor authentication”.

Unfortunately, criminals move faster than an organisation’s budget cycle and have already developed ways to circumvent these devices.

To protect their organisations adequately in today’s constantly changing environment, security officers will have to move their posture from being reactive to one where resources are intelligently and imaginatively put in place to counter emerging threats.

Even if security officers did manage to set aside their worries for a little Christmas partying, the song on the jukebox was likely to feature lyrics by Athlete: “Out of nowhere – it came and hit me on the head.”

That will be a lame sort of apology if the budget leaves no room for manoeuvre when the unforeseen hit comes and the company is left concussed, with customer service out for the count.

Security Matters was written by Ian Cook of Pentest, a security company offering services in Europe and North America. ian.cook@pentest.co.uk

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from FT.com and redistribute by email or post to the web.