Wendy (again) states things that we should already know in such an easy to understand way, that you smack yourself upside the head and wonder why you didn’t think of it. Her post on the 451 blog about The hierarchy of IT needs makes very very clear why you continue to have problems making the case for security in your organization.
I won’t just pirate her image, but go look at it and it will feel like a gut punch.
Of course there are exceptions to this hierarchy. Like in the few quarters after a high-profile breach. Then blow up the pyramid and spend all the money you can. It won’t last long. Soon enough senior management will forget the pain and get back to allocating resources based on your business needs.
Wendy also offers a secret that can help get funding for those security projects you know you need to do, but can’t get senior management to understand.
If you can tie security to one of the lower requirements (lower than compliance, that is), you’ll have a much better chance at getting it incorporated more frequently.
And to net it out, more wisdom:
This hierarchy of needs also explains why security is an afterthought, and how even in the most mature of environments, it gets abandoned if one of the lower layers is suddenly threatened. It’s why holes get left in firewalls, why the accounts of terminated employees are still running services, and why back doors are left in systems. It’s all about keeping things working.
This is our reality. You can certainly resist it and bang your head against the wall repeatedly. But the only thing that will accomplish is to give you a headache. You won’t get any more funding, because the hierarchy of IT needs is alive and well.
Photo credit: “Hierarchy of Letter Boxes” originally uploaded by Michael Coghlan