Core Reasons Why Information Security Programs Fail

Famous rock drummer, Neil Peart, from the band Rush once wrote “Time after time we lose sight of the way our causes can’t see their effects.” It’s how the world works. Again and again, year after year, we see people making the same mistakes. Rather than learning from our mistakes and vowing to do things differently moving forward, we often pretend that nothing ever happened in the first place. After all, it’s easier to ignore life’s challenges. Fully acknowledging the issues before us requires work and many people just aren’t up for that.

This scenario plays out in all facets of life – from our health to personal finance and practically everything imaginable that defines us as human beings. It’s also pervasive throughout business in terms of IT and information security. In fact, I see many security programs that look great on the outside but are hollow, even rotten, on the inside. Yet no one seems to notice it or is willing to step up to the plate and stand for what’s right. And many businesses wonder why they keep getting hit! The following are what I believe to be core reasons that information security programs fail time and time again:

1. Inability, on the part of IT and security staff, to communicate to management not only the value of information security but also what it truly means to the business and what must be done to correct the issues.
2. A continual, gullible focus on policies without ever actually acknowledging the core technical and operational security vulnerabilities that are creating the real risks.
3. Users are set up for failure by having unfettered access to systems and information that they know will go unmonitored and unenforced.
4. Management refusing to see what’s going on, namely listening to those responsible for information security and, instead, ignoring the problems and proposed solutions in favor of hiring someone new to try to resolve the issues once the current person in charge of security resigns.

Of course, every situation is different and many of these may not apply to you – but there are also plenty of other reasons for information security program failures that I didn’t list. Regardless, you should take note and keep these issues on your radar. I see these all the time. Better yet, make them your list of what not to do this year – sort of your anti-goals. If any one of these items takes hold, grows, and sticks around, it’s almost guaranteed that your information security program will be an uphill battle and likely never mature. Do your part, and coach others as well, to do what needs to be done to write this oh, so critical ship.

Help us learn more about the core reasons why information security programs fail by taking the survey below: