The second coming: Information Security is coming of age … again
The impact of IT on information security has been dramatic; IT has challenged security like never before. But if the first 30 years of IT deployment and use were challenging for traditional approaches to information security, they were nothing compared to what was to happen in the last decade, during the birth and early years of the “Commercial Internet” (i.e. the use of the Internet as a vehicle in the completion of commercial transactions and in other business-critical information processing). This revolution in the business use of IT left information security practices trailing behind; and we are still playing catch-up today.
There is now a demand to close the gap between business reliance on IT & the Internet on the one hand, and the state of play with respect to information security on the other. Recent years have witnessed an enormous amount of media focus on breaches in IT security and specifically on breaches in internet security.
To some people this media focus represents hype; but to many others it is entirely appropriate, justified by the need for a drastic improvement in the state of the art of internet security
Regulators and legislators are notably interested in seeing improvements. There has been growth in the levels of organised crime. In addition, corporate fraud, shareholder deception, and abuses of corporate information have all made regulators act. Criminals are more sophisticated and agile today because, like corporate and public sector organisations, they too have well-funded access to IT and the Internet. Their activities include large-scale fraud and international money-laundering.
Compliance has become an imperative for improving information security.
Relevance to the here and now: planning and budgeting
IT security measures - tools, projects, operations - have always been difficult to cost-justify; return on investment (ROI) has always been the favoured budgeting mechanism for setting corporate IT budgets, with Total Cost of Ownership (TCO) also playing a part.
But IT security is more about the cost of non-investment (CONI) than ROI and TCO, and it is altogether more difficult to make a compelling budget case from CONI than from ROI and TCO techniques. Before the commercial internet information security was far less demanding, and it was common practice for organisations to spend ~1% of their total IT budgets on security. IT security was ‘bolted on’ - it was budgeted and implemented in a per-application, per-project fashion.
The birth and developing maturity of the commercial internet has challenged most organisations’ commitment to information security provision; and as discussed above many have failed to meet that challenge to date. Information security budgets today typically represent between 2% and 5% of total IT budgets. Judging by results this is still clearly not enough. Legislators and Regulators are no longer willing to allow the currently poor state of affairs to persist. They are now applying the measures necessary to improve the state of the art of IT / Internet security.
This is a very real call to action. There is a pressing need for improved information security, for the art to come of age … again!
