Recently we were in talks with a client whom we have done security projects for years with. They said they hit some hard times recently and had to cut out their quarterly security assessments and security checking we performed. After a few months we received a random email from them making sure they were still good and we had everything we needed to maintain security for them. We gently reminded them that we had no clue as we haven't seen their network in months. The executive we were speaking with was shocked to learn the assessments were stopped, by IT. He said times were not tough and these needed to resume immediately.
What about security and testing is so worrisome to some IT departments? I want to stress the word "some" as I know it is not all in the IT world.
IT security will not be a priority for most organizations as we enter the 2014 calendar year. I don't care what article or news story says otherwise. There is a major pushback from the IT departments on most security projects. Even when we get through an assessment many times the remediation of the issues is rejected, as it would be too disruptive in their opinion. This is completely false and a bogus statement if done by professionals.
- The WSJ reported in 2013 that every company has been hacked according to government data.
- People lose their identity every day.
- Companies go out of business, every day.
- Health records are stolen daily.
The information and evidence is clear that security should be a priority, but it is not as a whole. Is it for your organization?