In the realm of cyber-security, all of the advantages are with the attacker. To be successful, defenders have to guard against and defeat all possible attack types all of the time; attackers only need to find one hole in those defenses to win the game. That is why information security programs need to be dynamic and flexible in order to work properly.

I have worked with all types and sizes of organizations during my years in the information security field including government agencies, regulatory bodies, retail concerns, service providers, financial institutions and medical organizations. No matter what kind of organization I am working with, I have found it to be an immutable truth that the larger and more complex the organization, the more difficult and time consuming it is to make changes and to their information security program. It’s not really anybody’s fault, it’s just the nature of the beast. Bigger organizations have more checks and balances to deal with, more personality clashes to arbitrate, more committees to wrestle with and more ‘rice bowls’ to protect. However, this is no reason to throw up our hands and admit defeat. Now is the time to recognize that we have a problem and try to find ways to work around it.

One idea I wish to propose in this regard is the ‘top-down, bottom-up’ approach to information security. First, the people in top positions in large organizations need to be made fully aware that a real problem exists and how serious it is. They also need to be made aware of the business advantages of a flexible and effective information security program. Most important of all, they need to be willing to visibly show their full support for the program and the changes that are to come. After all, no organizational security initiative can get very far without full buy-in at the Board Room level.

Another part is the ‘bottom up’ part of the process. Some years ago I worked with a software suite that allowed anyone in the organization to easily access and view security policy on the company intranet. Not only could personnel view the policy, they could make suggestions to improve and change it, propose new techniques, recommend ways to streamline the process, etc. Nobody in an organization knows more about business processes and how to protect them than the people that work with them every day. Why not encourage them to make suggestions and report problems? All it takes is a little encouragement and minor reward. In fact, I’ve found that simply recognizing personnel for their security efforts is enough. Praise them in group meetings, put their pictures up on the wall, that sort of thing. Why should the organization hire expensive consultants to tell them the same things that they can learn from their own personnel?

The last part is acting upon the suggestions produced by management encouragement. Once valid suggestions have been made, the initiative needs to flow through the normally recalcitrant and obstructionist mid-levels of the organization to make it back to the top. Can this group be made to set aside their differences and encourage the adoption of rational and workable suggestions for change? If they can, then large organizations can truly improve the flexibility and effectiveness of their information security program, and save money doing it.