5 Reasons Why Information Security Departments Are Under-Resourced
Everyone knows the moment new technology is purchases, it doesn’t take long for it to become outdated. As technology in all aspects of our lives continues to develop at a startling pace, businesses feel the pressure to become as up-to-date as possible. One of the biggest concerns many companies have is keeping their data secure as technology grows around their capabilities.
Because of this, the information security departments of many companies are under-resourced as the demands for cyber security support outstrips the organisation’s ability to provide the service.
David Owen, the director of strategy and marketing for Asia Pacific and Middle East, BAE Systems Applied Intelligence, cites five reasons information security is feeling the pressure.
1. Sensitive Information Is Proliferating Outside The Corporate Moat
Increasing numbers of employees are using non-sanctioned applications like Dropbox on work devices. As company information proliferates across a myriad of major cloud providers, business process outsourcing services, IT service providers and data analytics consultancies, security departments struggle to govern and track all of these.
2. Security Is A 'Contraceptive' Business Case
There is an indirect relationship between investments in security and positive business outcomes like higher revenue, greater market share or reduced costs. Therefore companies are often unwilling to invest in threat management as a priority over other potential business investments. This leaves the security department under-prepared for preventing and detecting cyber threats.
3. The 'Protect Everything' Mindset
Many organisations spend the vast majority of their resources on baseline controls to protect the entire organisation (often at the perimeter), rather than pinpointing controls towards the specific systems and business processes that relate to sensitive information (which often straddle the perimeter into the supply chain).
4. Hardening Regulation Adds Costs
Governments and regulators constantly ratchet-up regulation, and this regulation is sometimes wide-ranging in its impact. Yet security teams are often expected to accommodate the cost of new regulation within an existing budget baseline rather than assessing the true incremental cost of adoption. This can result in a focus on compliance over risk management.
5. Cyber Security Isn't owned By The Wider Business
In many organisations the prevailing view is that users should be able to just turn up at their computer without considering security. This mindset ignores the fact that an increased proportion of sophisticated security threats focus on persuading the user to take an active role in the compromise, and that staff, managers and leaders all own the problem.