Tuesday, February 10, 2009

Top 10 Reasons to NOT Have a Corporate Cyber Security Program

Updated 8/2/2009
I regularly walk past a humorous list of posted reasons why a corporate project management office is not needed based on Jim Chapman’s 1996 list of “Top 10 Reasons NOT to Use Project Management” Considering the focus on cost and change challenges many IT organizations are facing, this insightful list inspired me to come up with my own Top 10- enjoy:

Top 10 Reasons to NOT Have a Corporate Cyber Security Program

10. Our internal and external customers really love us, so they do not care if company information and systems are appropriately and consistently secured.

9. Corporately organizing to manage cyber security risk is not compatible with our culture, and the last thing we need around this place is change.

8. All cyber security work is easy, with little guidance, direction, or accountability needed, and does not have cost, schedule, or any other significant technical, managerial or operational risks anyway.

7. We are not smart enough to develop an enabling cyber security strategy, program, or architecture without stifling creativity and offending our silos of technical and managerial geniuses.

6. We might have to understand our customers’ requirements and document a lot of stuff for review, input and approval which then would need to be maintained and that is such a bother.

5. Understanding, applying, and maintaining specific, definitive cyber security measures and clearly communicating actual status requires integrity and courage, so they would have to pay me extra.

4. Our bosses will not provide support needed for results; they want us to ensure regulatory and legal requirements, congressional concerns, and other related risks are managed through magic.

3. We would have even lengthier debates and still end up applying arbitrary, overly burdensome cyber security measures to all projects regardless of size, complexity, or risk and that would be stupid.

2. I know there is well-developed cyber security body of knowledge that is applicable to the work I am doing, but it is too hard to understand, apply and help us improve with anyway.

1. We figure it is more beneficial to put increasing time and money into cyber security independently in various areas and accept a growing, uneven and obscure patchwork of results than to have an organized, more transparent company approach.

Disclaimer: While there may be times when one or more of the Top 10 resonate, an effective cyber security program should help clearly refute this list at every opportunity.

There continues to be sporadic debate about whether or not IT Security should be viewed as a profit center versus the cost center realty that the vast majority of practitioners work in, e.g., Mike Rothman’s recent commentary: Compliance is SO a Cost Center. Regardless of how security is organized and executed, the best justification approach around security improvements focuses on business benefit in the form of cost savings or value, centered on mutually well understood reality.

Many organizations are under increasing pressure to deliver more with internal resources, including addressing growing security expectations, and keeping costs contained. While the means and alignment to meaningfully execute and maintain security improvements remains vital, an even more important success factor in my opinion to manage such risk over the long term requires clearly articulating an overall company program. The program - however thick or thin in scope and resourcing - provides the means for ongoing leadership driven attention to risk management, policy, goals, results, preparations, with sufficient transparency and organizational support across various groups, compliance programs, and increasingly interested and engaged management.