Forwarded from: Mark Bernard <mbernardat_private> Dear Associates, If you read between the lines this story really identifies the difference between a CISSP designation and a CISM designation. One designation is entirely solution oriented while the other is business oriented. The CISSP does not demonstrate the skills necessary to justify Information Security (InfoSec) to a business. So all those businesses rushing out to get staff with a CISSP designation without additional business management skills have shot themselves in the foot. Companies will not budget for InfoSec unless it is a legitimate business need and that means justification in business terms. Without justification businesses will continue to only budget for InfoSec positions assigned to larger non InfoSentric business units. Its not entirely managements fault because they truly believe that this will reduce the risk and take care of any problems that they might encounter. This is the way that traditional management has always dealt with more work, they hire more staff! This however is a short-term fix which is very apparent within this survey. Without adequate justification tied to strategic and tactical business objectives InfoSec budgets will continue to not get approved. After all, just because someone with a CISSP says that something needs to be attended to doesn't mean that the company will automatically open up the vault. Regards, Mark, CISM, CISSP. ----- Original Message ----- From: "InfoSec News" <isnat_private> To: <isnat_private> Sent: Thursday, July 17, 2003 4:46 AM Subject: [ISN] Update: Money seen as biggest obstacle to effective IT security > > http://www.computerworld.com/securitytopics/security/story/0,10801,83109,00.html > > By JAIKUMAR VIJAYAN > JULY 16, 2003 > Computerworld > > Inadequate funding remains the single largest obstacle to > implementing effective IT security measures at most companies, > according to the results [1] of a recently completed global survey > by Ernst & Young International. > > Even so, a majority of the companies surveyed said they rarely or > never calculate return on investment when building a case for > information security budgets. > > "Return on investment appears to have fallen out of favor as a > measure of the effectiveness of information security spending," Mark > Doll, Americas director of Ernst & Young's Security Services > division, said in a prepared statement. "It looks like we need to > find a credible alternative to conventional ROI approaches in order > to secure funds for the information security function." > > The "2003 Ernst & Young Global Information Security Survey" was > conducted over a two-month period in early 2003 and includes > responses from more than 1,400 organizations in 66 countries. > > Not surprisingly, 90% of the organizations surveyed said that IT > security is of high importance to them, with 78% identifying risk > reduction as the top factor influencing security spending. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Jul 19 2003 - 04:42:27 PDT