Re: Update: Money seen as biggest obstacle to effective IT security

[InfoSec News <isn () c4i org>]

Forwarded from: Mark Bernard <mbernard () nbnet nb ca>

Dear Associates,

If you read between the lines this story really identifies the
difference between a CISSP designation and a CISM designation. One
designation is entirely solution oriented while the other is business
oriented.

The CISSP does not demonstrate the skills necessary to justify
Information Security (InfoSec) to a business. So all those businesses
rushing out to get staff with a CISSP designation without additional
business management skills have shot themselves in the foot. Companies
will not budget for InfoSec unless it is a legitimate business need
and that means justification in business terms.

Without justification businesses will continue to only budget for
InfoSec positions assigned to larger non InfoSentric business units.
Its not entirely managements fault because they truly believe that
this will reduce the risk and take care of any problems that they
might encounter. This is the way that traditional management has
always dealt with more work, they hire more staff!

This however is a short-term fix which is very apparent within this
survey. Without adequate justification tied to strategic and tactical
business objectives InfoSec budgets will continue to not get approved.
After all, just because someone with a CISSP says that something needs
to be attended to doesn't mean that the company will automatically
open up the vault.

Regards,
Mark, CISM, CISSP.


----- Original Message ----- 
From: "InfoSec News" <isn () c4i org>
To: <isn () attrition org>
Sent: Thursday, July 17, 2003 4:46 AM
Subject: [ISN] Update: Money seen as biggest obstacle to effective IT
security


> http://www.computerworld.com/securitytopics/security/story/0,10801,83109,00.html
>
> By JAIKUMAR VIJAYAN
> JULY 16, 2003
> Computerworld
>
> Inadequate funding remains the single largest obstacle to
> implementing effective IT security measures at most companies,
> according to the results [1] of a recently completed global survey
> by Ernst & Young International.
>
> Even so, a majority of the companies surveyed said they rarely or
> never calculate return on investment when building a case for
> information security budgets.
>
> "Return on investment appears to have fallen out of favor as a
> measure of the effectiveness of information security spending," Mark
> Doll, Americas director of Ernst & Young's Security Services
> division, said in a prepared statement. "It looks like we need to
> find a credible alternative to conventional ROI approaches in order
> to secure funds for the information security function."
>
> The "2003 Ernst & Young Global Information Security Survey" was
> conducted over a two-month period in early 2003 and includes
> responses from more than 1,400 organizations in 66 countries.
>
> Not surprisingly, 90% of the organizations surveyed said that IT
> security is of high importance to them, with 78% identifying risk
> reduction as the top factor influencing security spending.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.