The Greatest InfoSec Threat of 2010: Re-Orgs
March 25, 2010
The industry is again abuzz, this time about the advanced persistent threat (APT) and other “new” sophisticated boogeymen lurking out there on the big bad Internet. Ironically, the greatest threat to the success and continuity of enterprise information security programs that I see strikes much closer to home, and isn’t nearly a sexy: re-orgs.
I can’t count the number of security leaders that I talk to who either are planning, implementing, or just coming out of a re-org, whether self-inflicted or due to upheaval in the ranks above or to the sides. And let’s not even mention the ongoing game of CISO musical chairs that decapitates entire programs and leaves them listless for months on end. I see far more damage to the infosec capability at these businesses from this ongoing restructuring than I ever do from malware outbreaks: management loses confidence and hard-won political capital vanishes, operations and key initiatives get whipsawed by shifting attention, budgets are unpredictable, infrastructure investments wither from lack of care and feeding, morale and cross-group perception ranges from cynical to downright bleak, and a sense of helplessness pervades a practice that is supposed to be enhancing visibility and control over IT.
Certainly, change is inevitable, and some restructuring can of course be good if done thoughtfully to improve clarity of mission, roles and responsibilities, or other fundamentals. But my sense is that we’re changing too much, too often, and it’s disrupting our focus, damaging our credibility and ability to get things accomplished in the long view.
It’s time to adopt a more cross-generational perspective, align around a few fundamental practices that must be sustained for posterity, and keep the eggs incubating in the nest for a little bit longer. Because whatever your opinion about APT, I think most would agree on the “persistent” aspect. What’s your infosec succession plan?
Comments
Got something to say?