Justification for Information Security expense can be difficult in today’s economic environment. Oftentimes it takes creativity and communication skills to clarify the importance of forming a reasonable balance in the cost of information security controls. This balance is relating to the acceptable risk in order to effectively protect an organization’s information assets. Sadly, with many organizations there is a disconnect on this balance and there is no information security budget.
A good basis for understanding of security controls should be established with distinction between administrative, technical, or physical with the most important being administrative. Yes that is correct, if there is expenditures for technical security solutions it should be described as a requirement in the security policy or a mitigating control of a risk identified during a risk assessment. Technical security controls are commonly used to automate what cannot be done sufficiently with manual effort. The physical part should be the basic premise of locking the door to the data center and preventing unauthorized physical system access. Reporting structure should be a common method for justification of security control expense which will show how well a tool is working and that it is being evaluated on a regular basis.
But on a low to no budget for security, how can it become a bigger priority? It may be good to find opportunities to integrating security into other already existing processes. Opportunities may include:.
- Security awareness training - this is one area that should not be taken lightly. It is the opportunity to inform the users on how to protect the corporate information assets and what is described in the security policy, why it exists and how to gain further information whenever needed. If this effort does not currently exist, consider an effort to integrate it into the new employee orientation first. Then, after some success can be demonstrated, the training could be provided through WBT’s on an annual or biannual basis. The success may be shown in surveys to users who have taken the training.
- Another opportunity for communication about security is a bulletin area such as the corporate intranet site or a monthly newsletter distributed throughout the organization. Including some common threats and techniques for avoidance of being a victim is a good way to remind users that their activity plays a factor in the vulnerability equation.
Without security awareness training, the users may consider security controls as an obstruction to getting their work done and increases the possibility that a work around will be used to bypass the controls. Additionally, users are the front line of defense to security as most events can be witnessed by the user and reported appropriately through the corporate help desk or through the security group. If there is already security awareness training offered, there may be opportunities for improvements of content that are not very costly to the organization. In my next blog, I’ll expand into some other business processes where it may be possible to integrating security practices. Maybe there are other creative ideas for improvements on a tight budget that others can share.