Risk management and, indeed, all security activities do not happen in a vacuum. We need buy-in and time from business end-users, IT professionals, and more. Yet all to often, we plan these activities without doing a joint constraint analysis. The result is work that is understaffed and simply does not get done.
A recent survey highlights this condition. “According to Osterman Research, of the $115 per user respondents spent on security-related software in 2014, $33 was either underutilized or never used at all. In other words, in an organization of 500 users, more than $16,000 in security-related software investments was either partially or completed wasted.” IT staff “was too busy to implement the software properly, IT did not have enough time to do so, there were not enough people available to do so, or IT did not understand the software well enough,” the report states.
Personally, I am not ready to throw the IT staff under the bus. Let’s hold up a mirror. When was the last time we planned risk mitigation while taking into account IT’s time and knowledge? When was the last time we included training and staffing in our business case?
All to rarely. It is time to take constraints into account.
Posted by