Think Information. Think Security.
The items pointed here are the very basic pains of an Information Security professional. 

And this goes to show that from day 1, for many organization wired to the world, their system is already vulnerable.

Most organizations still don’t have a dedicated budget for information security.

I must confess: Being an information security consultant isn’t the easiest job in the world. But then, nothing worthwhile ever came easy. Here are some harsh truths why an information security professional may not be the happiest person at the workplace:

Questionable popularity

While it isn’t necessarily on anyone’s personal goals’ list to be the most popular chap around the water-cooler, but infosec professionals suffer from an acute case of plummeting popularity. This is because their primary job is to essentially find stuff that is wrong. Or what we in the business like to call control weaknesses. Finding fault with people who generally put in long hours and are themselves the least appreciated (I mean the IT folks here) is hardly going to help in the popularity department.

Peripheral existence

Most infosec professionals find it difficult to get a word in edgeways when it comes to critical business decisions or strategic technology decisions. Security is typically an after-thought. The focus is usually on growth, increase in revenues and profitability. Controls can be put in later, is what the majority of folks in senior management would think. Although not all of them would come out and say it openly.

No budgets

The top three most depressing statements I’ve heard in my career are (in decreasing order of how much sadness they can induce):
  • Even if our data does get compromised, so what?
  • We haven’t been hacked yet, so why should we bother?
  • Our regulators don’t require us to implement information security, so we’ll let you know.
In light of this, most organizations still don’t have a dedicated budget for information security. So you’re essentially left pleading for a portion of the IT budget to be spent for information security.


If you point out flaws you’re accused of crying wolf. But when something does go wrong, the first person to be blamed for it is the infosec guy. It doesn’t matter how many audit reports went unaddressed, or how many controls were ignored due to other business priorities, but a security incident is entirely our fault.

But let me tell you: the times, they are a-changing! Having spent the last decade in this field, I’ve seen a dramatic change happen in the mindsets of a lot of organizations. From a time many years back, when a large bank in the country told me that they had anti-virus and firewalls and that was enough security. To a time today when companies are convinced about the need for a holistic approach to information security, we have indeed come a long way. I wouldn’t exchange the last ten years of having seen this profession evolve for any other career in the world!

Editor's Note: Cross post from InformationWeek

1/31/2014 08:37:26 pm

Great blog! I definitely love how it’s easy on my eyes and the data is well written. I'm curious how I will be notified whenever a new post has been created. Have a nice day!

1/31/2014 08:38:20 pm

I was very happy to get this web-site. I needed to thanks for your time only for this superb read!! I positively enjoying every bit of it and that i also maybe you’ve bookmarked to think about new stuff you blog post.


Leave a Reply.