CAMBRIDGE, Mass. — Credit union managers in charge of IT security often face a dual challenge as threats mount while spending falls. And they're not alone.
According to Forrester Research analyst Khalid Khark, "In the security spending heyday, security budgets sometimes touched 10% of an organization's overall IT spending. Those days are gone."
He says security managers now face shrinking budgets and increasing expectations from executive management and often tell him that, "management doesn't understand security."
Recommended For You
In a report on how chief information security officers can deal with that new reality, Forrester Research (www.forrester.com) advises that CISOs devote some energy to selling and justifying their needs, not just to the technology itself.
"To make sense of existing investments and justify future spending, CISOs need to market information security to management regularly and to focus on people and process proportionately to technology…," Khark says.
In his report, Khark says CISOs struggling for more funding or just trying to stay current face the following challenges: Unpersuasive security reports, scare tactics that don't work anymore, and security money now flowing to compliance.
Exacerbating that, the Forrester analyst says, is the following natural tendency: "Being techies, a lot of CISOs look for products with the richest feature set and most-advanced technology. While this may be a reasonable strategy for product evaluation, it leads organizations to select products that either don't integrate well into their environment or are technically immature."
The focus, instead, should be on investing in the "right technology," Khark says. "More security products don't mean more security," the report says. "For example, Forrester sees a significant gap between what companies buy to protect their data from breaches and how the breaches are actually occurring. Spend where it will have the most impact."
He also says more investment needs to go to the people involved, through security awareness and training programs.
The Forrester analyst says there's a common approach among leading CISOs.
"They focus on security in support of the business, with regulatory compliance as a byproduct rather than making regulations the basis of their security program," Khark writes.
Among the report's recommendations:
o Design a marketing plan for information security. The goal is to change senior management's perceptions, "a difficult and slow process." Forrester says successful CISOs "persistently market security across the organization. They often work with individuals and business units on projects and deliver results consistent with their marketing message."
o Develop a balanced approach for protection. Depending on technology alone to protect an organization "is a recipe for disaster," Khark says. "To adequately protect your organization with the right mix of people, process and technology, CISOs need to understand the business, not just the technical infrastructure." –[email protected]
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.
