Countering the Threat of Information Security Fatigue

Charles Pask’s comments on my recent blog postings raise an interesting and realistic new threat: that our industry might lose credibility due to non-events, because we are simply too good at what we do, and the bean counters are out to squeeze our budgets. It’s a good point. I’ve certainly noticed the mounting pressure from accountants as we aim to spend increasing amounts of money on yet more point solutions that all sound very similar – generally a variation on “network security” – to counter threats that rarely materialise. You can also see this fatigue in the area of staff awareness, whenever we ask to put out yet another staff circular on the importance of password selection. So what can be done? Here are some practical tips.

Firstly, explain what’s changed. You won’t get a bigger budget unless you can point to something new that demands it. There’s certainly plenty of evidence to suggest the risks have increased.

Secondly, don’t cry wolf, or at least place a realistic quantification on your risk assessment. If you assess the risk of a major incident in 2007 as 20%, there’s a good chance it won’t happen and you can pat yourself on the back. If you think it’s 80% then you have a good case to immediately go out and spend money to reduce this to an acceptable level.

Thirdly, use a richer vocabulary for countermeasures that sounds plausible and doesn’t lump them all together in a single category, such as “network security” or “access control”. Any accountant worth his salt will quickly spot that you’ve already bought a product under that heading. So why should you need a new one?

Fourthly, explain the need for defence-in-depth. Most managers quickly get this and it makes sense. It also suggests that you will need more than one level of countermeasure, so the accountants will expect further spend to be forthcoming. I’ve used this one myself quite successfully.

Fifthly, take a course in Neuro-Linguistic Programming (NPL) so you can at least try to manipulate or even hypnotise the Board and the bean counters. But check out my earlier posting on this first.