As a consultant I constantly come across organizations that are more than willing to throw millions of dollars at their information security problems. Almost invariably this money is spent on technology: elaborate IDS/IPS deployments, expensive SEM solutions, etc. All this, but I seldom see any real security improvement as a result of adding high-end security products. Too often I return to customers months later to find the exact same problems.

Organizational > Technological

The failure to address security problems today is by in large caused by organizational issues, not technological limitations. Listed below are three of the most important organizational obstacles to an effective security program:

Not Knowing What The Problem Is Many companies aren’t even aware they are being attacked. Whether internal or external, the majority of companies with massive security issues suffer from the head in the sand problem. And the solution isn’t, “you need a SIM”. The problem is the lack of a) motivated curiosity and b) talent. Technological solutions are next worthless for risk analysis, which is an essential piece of any security approach. You don’t start with a NAC implementation when your employees are pilliaging you from the inside using their own legitimate credentials. You have to start with an accurate view of the issues to be addressed. Knowing, But Not Being Allowed To Address The Problem This one makes me sad. Even if you have a good security team that knows what the issues are, more often than not there are major organizational obstacles to actually solving the problem. These are the very human issues such as political battles, turf wars, managers that don’t want to rock the boat, etc. These issues destroy the effectiveness of more security programs than the lack of any product or technology. Knowing You Have Issues, Having Authorization To Address Them, But Not Knowing How This one is also common, and is usually just a case of not having the right people in the security program. I’ve seen so many security groups where the people just somehow “ended up” in the security department. They don’t have any particular interest in security (or even IT at all) and their skills reflect this fact. The easy answer (and the one most companies go with) is to hire consultants and/or outsource the whole thing. Being a consultant this is great for me, but the better solution (in my view) is to clean house and get a real security team. That takes longer, and it’s more effort, but in my opinion it benefits the company far more in the long run.

The key thing about this list is that if you don’t have all three things (KET) …

Knowledge Of What Needs To Be Done

Of What Needs To Be Done Empowerment To Make Necessary Changes

To Make Necessary Changes Talent To Execute Properly

…you’re probably going to fail. And it doesn’t matter what whizbang super-product you bring in. Technology helps a security team do their job more efficiently, but only if they are already doing their job. And that’s precisely what they can’t do when organizational obstacles are in the way.

That’s why organizational issues need to be addressed with the highest priority — before adding additional expensive, superfluous technology. Sure, if you have to spend the money, go ahead and get the products, but focus on making sure you can actually use the stuff, otherwise it might as well stay in the box.: