As a consultant I constantly come across organizations that are more than
willing to throw millions of dollars at their information security problems.
Almost invariably this money is spent on technology: elaborate IDS/IPS
deployments, expensive SEM solutions, etc. All this, but I seldom see any
real security improvement as a result of adding high-end security products.
Too often I return to customers months later to find the exact same
problems.

Organizational > Technological

The failure to address security problems today is by in large caused by
organizational issues, not technological limitations. Listed below are three
of the most important organizational obstacles to an effective security
program:

Not Knowing What The Problem IsMany companies aren’t even aware
they are being attacked. Whether internal or external, the majority of
companies with massive security issues suffer from the head in the sand
problem. And the solution isn’t, “you need a SIM”. The problem is the
lack of a) motivated curiosity and b) talent.
Technological solutions are next worthless for risk analysis, which is
an essential piece of any security approach. You don’t start with a NAC
implementation when your employees are pilliaging you from the inside
using their own legitimate credentials. You have to start with an
accurate view of the issues to be addressed.
Knowing, But Not Being Allowed To Address The ProblemThis one
makes me sad. Even if you have a good security team that knows what the issues are,
more often than not there are major organizational obstacles to actually
solving the problem. These are the very human issues such as political
battles, turf wars, managers that don’t want to rock the boat, etc.
These issues destroy the effectiveness of more security programs than
the lack of any product or technology.
Knowing You Have Issues, Having Authorization To Address Them, But
Not Knowing HowThis one is also common, and is usually just a case of not having the
right people in the security program. I’ve seen so many security groups
where the people just somehow “ended up” in the security department.
They don’t have any particular interest in security (or even IT at all)
and their skills reflect this fact. The easy answer (and the one most
companies go with) is to hire consultants and/or outsource the whole
thing. Being a consultant this is great for me, but the better solution
(in my view) is to clean house and get a real security team. That takes
longer, and it’s more effort, but in my opinion it benefits the company
far more in the long run.

The key thing about this list is that if you don’t have all three things
(KET) …

Knowledge Of What Needs To Be Done
Empowerment To Make Necessary Changes
Talent To Execute Properly

…you’re probably going to fail. And it doesn’t matter what whizbang
super-product you bring in. Technology helps a security team do their job
more efficiently, but only
if they are already doing their job. And that’s precisely what they
can’t do when organizational obstacles are in the way.

That’s why organizational issues need to be addressed with the highest
priority — before adding additional expensive, superfluous
technology. Sure, if you have to spend the money, go ahead and get the
products, but focus on making sure you can actually use the stuff, otherwise
it might as well stay in the box.:

May 23, 2025