CSO Magazine has a column that's titled What Would You Do With an Extra 10 Percent in Your Budget?
There's an easy answer to this. Use it for an awareness initiative. Oh, and with an extra 20%? Use it for an awareness initiative. An extra 50%? Now you're talking!
There's two reasons for this.
- As I've written elsewhere, not only is there a human element in security, there's only a human side to security. In other words, in security failures there's usually a human factor involved. Addressing that human factor will usually go a lot further than investing in expensive technology. Awareness can yield measurable improvements, and it's the prerequisite for the expensive technology to do its job. This is otherwise known as the 80/20 rule.
- The other point, the more macchiavellistic, if you will, is that awareness initiatives establish a noticeable - ideally visually noticeable - presence. The impression that "security is already on the ball" will help you avoid a lot of otherwise useless issue fighting and enable you to keep your eye on the big goals.
PS. It's always been a pet thought of mine that if you're not the security manager but running an IT shop the last ten percent of your budget will be well invested into telling everybody how great everything is running. Your users will be a lot happier than if you use the money to invest in something great they will never know about. :-)
- Peter Berlich's blog
- Login or register to post comments