Obstacles to effective InfoSec Program Management
CISOs want to protect the assets of the organization writing policies and procedures, evaluating risks, deploying controls and creating business cases but most of them realise that they have a lot of obstacles to manage effectively the information security like poor support from the board of directors, insufficient funding or inadequate human resources and they end up exhausted and terrified because they know that they will receive some attack in any moment that it will affect the business and their jobs.
When we are running an initiative to implement an effective InfoSec Program Management there are always some obstacles and challenges that we have to face it. We are going to discuss three main challenges.
The first one is basically poor support from management. This can be vertically from upper-management or executive management or it can also be horizontally from other manager that they are in the same level vertically and they are managing other units or departments but we need synergies and cooperation with them. Therefore this is the overall lack of support and it can be due to misunderstanding, it can be due to politics, it can be due to a lack of interest in security initiatives. Sometimes we have to utilize resources from other departments like data of other departments, individuals from other departments and of course this probably is going to cut into programs and projects that other managers are putting in place. As a results there is a constant battle for resources in the organization.
Secondly, an inadequate funding and insufficient money available to get our security projects implemented. This is one of the most frustrating issue that comes up. Thus, this is a new discipline that security managers have to learn to know how to get money to purchase a new cluster of firewalls, to put in place a new Intrusion Detection System (IDS) software solution or for other types management tools, or also just for putting together a team of people. Accordingly, getting funding can be a tough thing.
Security management is a new discipline and the board of directors may not recognize the value of security investment in hardware, software, personnel, time, training or awareness and may be they see it as a low value to the company. It also tough for the board of directors to conceptually see where money is going on security projects and security programs. We know that mitigating against risks and threats that they haven't occurred yet is tough for the board of directors and sometimes they want to wait for the problem to occur before allocating money to it.
Finally, inadequate human resources. This is not just no having the people, it is also have to be with the poor understanding of the type of activities that people have to engage. Besides, the lack of awareness, underutilization and the fact that many business units aren't willing to give up human resources to help us with our programs and projects.
Best regards my friend and remember, all managers have obstacles and we should help each other to run the business effectively.