About   |    Newsletter   |    Resources   |    Contact
Get A Quote

Questions? 952-467-6381

FRSecure University

FRSecure Article

Why does Information Security fail?



Download the full report

Thoughts about why we fail



Commentary from Evan Francen, president of FRSecure

I’m in Denver tonight, and I have some time to write a quick article for our blog. I don’t intend to be long, but I do intend to make an impact with our readers; customers, prospects, and competitors alike. I often give thought to the challenges facing the industry that I am very passionate about; the information security industry. It dawned on me a few weeks ago while I was delivering a presentation to a group of printing industry professionals that we have failed. We have failed to communicate well and we have failed to serve well.

I like to think that FRSecure is an exception, and would certainly like to hear your thoughts.

NOTE: First, I need to define the word “We” used in this article. I belong to an industry; the information security industry. Whether I like it or not; “I” am part of the “We”. So when I write about “We” in this article, I am writing about our industry as a whole, not “Me”. Does that make sense? These are my collection of thoughts about why we fail.

I may expand on these thoughts in future articles.


We have oversold fear


How many times have we used fear to motivate people to do something?

There’s no doubt that fear can be used as a motivator, but it should be used wisely and only when it’s necessary. One of the problems with overselling fear is that people are becoming numb or desensitized by the fear mongering.

Examples: Recent news headlines like “Most Consumers are Just One Click Away from Digital Disaster” and “Warning: HIPAA has teeth and will bite over healthcare privacy blunders”

Solution: Only use fear if the fear is warranted, and even then only use it when it’s necessary.


We focus too much on the negative


We are so quick to point out all of the things that you are doing wrong. In general, negativity doesn’t resonate well. The problem is when we continually focus on the negative things, we quickly lose focus of all the things that an organization is does right. To make matters worse, we often point out problems without giving good* solutions. It’s easy to point out problems, it can take a little (or a lot) more work to present solutions. Pointing out problems without giving sound solutions is lazy.

*Good with the client’s best interests at heart, not ours.


We act like we’re smarter than we really are


Who doesn’t like to sound smart? We like to use big words and put them together into big sentences just to show how smart we really are. In satisfying our pride, we make things much harder to understand. People won’t think that we’re dumb if we use single syllable words in simple sentences. Simple words often have a greater impact, so we should try to use them more often.


We are too technical


Many good information security professionals have a solid technical background, but most of our customers do not. Most people don’t care about IP packet headers and never will.


We over-complicate


We can make information security as complicated as we want, but too often we do so at the expense of missing simple fundamentals. We have a saying “complication is the enemy of security”, meaning that in general, the more complicated we make things, the more difficult they are to secure.


We lack good quantifiable data


This issue is getting better, but we still have a long way to go. How does any organization know with certainty if it’s better to invest in intrusion detection or laptop encryption? Wouldn’t it be nice if we had hard quantifiable data to assist the decision-maker?


We have too many poor practitioners


Almost anyone can profess to be an information security “expert”. By a few books, learn the lingo, take a test or two, and VOILA! you are an information security “expert”. We tolerate practitioners in our industry who do a serious disservice to us all; clients and other industry professionals alike. IT services providers, accountants, VARs, etc. may profess to have the experience, knowledge, and passion to be good practitioners, but too many do not.


We chase the money not the need


We should never sell anything to anyone who doesn’t have the need or structure to support it. What good does a $200,000+ enterprise network access control product do for a company that doesn’t have any policies or procedures to support it? Information security companies are pumping out new and exciting products every week, but the hype shouldn’t trump priorities.


Conclusion


We need to communicate better and serve better.


I’d love to hear your thoughts about this article, anything else about information security, our company (FRSecure) or yours.


Contact me here


Download the full report

What our Clients
have to say...

Request Info

*Company:

*Name:

*Email:

*Phone:

 Question/Comment:
Subscribe to FRSecure's Strategic Information Security newsletter