We must change how we do information security. Here is my suggestion

(This post was first published at my English information security blog)

As you advance in years in this profession, an increasing part of the efforts required of you is concentrated on “not giving up”.

A significant part of this is due to the huge gap between the information security tasks that needs to be accomplished and the resources given to realize these tasks, with an emphasis on the lack of personnel (in quantity and quality) and the objections of those who are not part of information security, i.e. the internal customers of the organization (mainly development, DevOps, marketing and so on).

In recent years, there has been strong public talk about the lack of manpower in the field of information security, and there are many efforts to overcome this gap, when unfortunately these efforts also cause the entry of quite a few suboptimal personnel into the field. The main thing is to apparently count more professionals added to the field, but this causes to a decrease in the level of performance and quality in some cases, so the advance using these efforts is sometimes questionable.

It is important to understand that the gap in information security between tasks and resources will always remain, to one degree or another, because:

1. That’s life, it’s not unique to information security – you almost always don’t get what you want, and usually not what you need either (and thanks to the “Rolling Stones” band for that). You have to know how to work with what you have, constantly reflect to the relevant people the gaps and accordingly the risks, and live with it knowing that you are doing the best you can under the given circumstances.
2. In most places where you will do information security – information security will not be a top priority, to say the least, and depending on the resources you will receive (and the resources in this domain are expensive). And that’s fine, and that’s true. You will not spend 1000 cash to guard an object worth 600, it makes no sense. Information security is not a core activity of most organizations. Information security does not bring in money, on the contrary. At best, it can be marketed as a Business Enabler, meaning a positive feature of the organization and/or products/services that can be marketed to the world. Information security is an envelope service provided to the organization, according to risk prioritization that the organization does (hopefully…), and the gaps you encounter are supposed to be “priced” as part of the organizational risk management. Information security in most cases pursues those it needs to protect, they are almost never a partner from the beginning, and the results and prices are accordingly.
3. In many cases information security is seen as a type of “insurance”. In other words, we know that we need to prepare for possible damage, but in the current we suppress the thinking about this risk and accordingly devote as few resources as possible to it, with the assumption (part of it is suppression) that the chances are that the risk will not materialize and therefore we want to avoid unnecessary expenses for the benefit of this activity.
4. And here I come to the main topic of this post, which links to the issue of the lack of manpower that I mentioned at the beginning – information security is considered as an exclusive subject/problem only of the information security department and its people, and therefore they are solely responsible for it. Everyone else does a favor and helps when possible and when they “feel like it” or when they are forced to, usually due to external reasons such as laws, regulations, or external criticism.

Information security, as an organizational function, because it is not a high priority in organizations – always has to run after the internal customers, especially development and DevOps, and try in one way or another, positive or negative, to get their “attention” and working hours of execution to promote information security with them.

In my opinion, changing this attitude is much more important to address than the lack of information security professionals. We need a fundamental shift in how we do information security.

As long as the current attitude will not change – the attempt to add more people to the information security profession, all continuing to follow the same activities as mentioned above – will not solve the problem.

It is not the direction in which efforts should be invested. Information security is a challenge too big to be handled exclusively only by information security professionals.

In my opinion, the only way to significantly improve the situation is only if it will be defined for all relevant internal customers of information security, from the top, from the CEO on down – that information security:

1. Is an integral and essential part of any products/services that the organization creates. It’s not nice to have, it’s not “let’s do a favor to the poor information security folks who are begging us to do some information security”.
2. Will be integrated into every product/service life cycle – from the product planning by the product managers and architects to the cancellation of the product/service and its fade out and closure
3. Information security will not be the sole responsibility of the information security department. Each department, each manager, and each employee – will be responsible for implementing information security in their field of activity. The responsibility will first be on them.

The information security department and its people will assist them, with training, direction, advice, integration, etc., as a kind of internal “consultants”, but they will not be the first line. Information security will manage this activity “from above”.

Also, of course, the information security department will continue to be exclusively responsible for the core topics of information security and will operate products and services that are distinctly information security.

In my opinion, only a change of direction as proposed above could actually improve the implementation of information security from its current dismal state, otherwise we will continue to rely on the inherent incapacity of the current situation as described above and lose severely in the battles against the bad guys.