In one form or another I have heard this question posed hundreds of times. It is always an expression of frustration on the part of some IT security practitioner. This time the question was posed to an IDC analyst at an event I attended this week in Zurich. The analyst, Eric Domage, gave one of the better responses.
The question (expanded): "You are preaching to the choir. IT security people know just how bad the situation is getting. But, how do we raise awareness at the C-level, or board level, so that we get the resources we need to counter these threats?"
My response usually take the form of some sort of risk management, scenario planning, asset identification process. Eric's was more succinct: "Just wait for an incident. After you are hacked and there is significant loss of information and even public exposure of your loss you will get plenty of resources."
Cold, Eric. Very cold. Although we have seen this over and over. CSX, Lowes, presumably TJX all invested more in security *after* incidents. The latest is Monster.com who lost a couple of million resumes to phisher/spammers this week.
From this news snippet.
Monster, the major online job-search site, says it's beefing up its security measures after suffering a significant data breach earlier this month.
Eric is right. Too bad this is not great advice for those responsible for security because along with the new investment the incumbent security staff will probably be thrown under the bus.
-From Gate E08, Amsterdam.