What's the best way to win a CEO's support for greater information security investments? Consultant Eric Mueller advises IT security professionals to spell out the business impact of inadequate security.
"Regulation drives spending," says George Tubin of GT Advisors. "You're in a situation where the regulators are telling you, 'You have to do something; you have to make improvements.' Therefore, the bank has to spend some money on technology."
To respond to a security incident, an organization must first be aware of it. But too many intrusions go undetected, says Rob Lee of SANS Institute. That's the first problem that needs to be addressed.
One problem tracking IT security employment is the dearth of information. Even the most trustworthy organization in collecting employment data, the Bureau of Labor Statistics, furnishes infosec data it cautions aren't reliable.
CIO Roger Baker concurs with auditor's recommendations, saying the Department of Veterans Affairs has "embarked on a cultural transformation" and that "securing information is everyone's responsibility."