IT security professionals whine too much. Their initial complaints often center on small or non-existent budgets. Then they focus on how colleagues, bosses and board members frequently overlook or simply shun the efforts they take to protect company assets.
This is what a long-time IT security pro thinks, who said during a recent conversation that CSOs and the like in companies of all sizes are trapped in a cycle they are too comfortable with to abandon. Whether in a Fortune 500, in a government vertical or in the financial sector, too many security practitioners fail to figure out how to overcome these gripes, for fear that taking a much-needed bird's eye view will reveal a resolution leading to a bigger workload – at least, initially.
But that time and effort at the start will help them change others' opinions of their initiatives and typically lead to more money and resources for their departments, he continued. The planning rests on the adoption, management and constant refinement of metrics that measure the value of infosec initiatives.
When talking with his counterparts who voice these grievances, he asks them how they go about proving their value to their associates and corporate leaders, and how they show their immediate bosses that throwing additional funds their way will benefit the business. When they realize there will be no bosom-buddy pity-party with him, they say that not having been hit by a blended attack lately should be proof enough. After all, no professional in this space gets a pat on the back for having a day go by with no downtime due to a breach.
And that swiftly brings him to his point, he says: By charting just how many attacks were thwarted, noting just how much down-time was avoided, showing just how much money was saved in keeping the company up when others in their industry were falling victim to the likes of Zotob, the value of IT security and the department is thrown into sharp relief.
And recent months have been one of the most important times in this respect, given November's Sarbanes-Oxley deadline. As companies' IT security pros scramble to meet such legislative mandates, their worth to enterprise leaders is obvious. When lawmakers' deadlines aren't looming, however, a strong set of metrics showing how infosec departments are keeping their companies up and running, even enabling business endeavors, will help to remind corporate leaders just how valuable information security pros truly are.
l We've redesigned our website. As well as the usual content, you'll now find real-time updates on vulnerabilities, up-to-date information categorized by IT security sector, job openings and more. Let us know what you think.
Illena Armstrong is the U.S. editor