What I want to talk about today is what causes FOI. Let’s step back and remember what it was that started this who FOI thing anyway. It’s because many people don’t believe that you can truly have Security ROI. Security isn’t so much an investment that you expect to make money with as it is money spent to protect investments that do make money. So we have to look at security from a different perspective than we do things such other technology purchases. Since we look at it differently we have to measure it differently.

So when we talk about failure of investment we have to  start off by differentiating between failure of people and failure of technology. People fail because they are people and because they often don’t know what or how to do something. Technology fails because it is designed, built, configured and maintained by people. It fails because it is programmed to do a set of tasks and when faced with doing something different it doesn’t know what to do but fail.

Security fails for a variety of reasons. I know that you are expecting me to spout off things like improper configurations, poorly trained  staff, implementing wrong technology, lack of awareness and user training. Although all of those are things that can lead to FOI there is much more to it. Failure can occur when technology isn’t updated or properly maintained. When the vendor doesn’t provide timely updates and patches. Failure occurs when the things that make for a good security program aren’t done regularly, properly and diligently.

Now the real question is how does this happen. How does it get to the point where these things are neglected or never properly implemented. I think it’s because the company doesn’t understand what the real threat is. Companies implement security to meet compliance, satisfy audit and provide enough protection to say they are doing something. They don’t take it to the next level of making security a priority. That means having support from the top. That means making a concerted effort to make sure that all employees know the what and why when of security. Security fails when it’s not taken seriously by all involved. It’s not something that can be done by one person or even one department. It has to be a company wide program. The network team can still route packets with out the participation or HR, Maintenance and the rest of the company. The server team can still "serve" up files, applications and data without the rest of the company being on board. The security team can’t be successful unless the whole company buys in to the program because it only takes one person to open up the whole that allows the data to flow out or the malware to flow in.