I can say that for the most part INFOSEC continues to be an "after thought" as a reaction to OMG we just lost 40,000 PII records and now we have to go before a congressional committee explaining why we lost Senator "X" PII.
The key problem isn't the lack of laws, technology, or even smart IT Security folks to make it work. The problem is that the stupid people out number the smart people on a grossly, and frightening, scale.
To compound that problem the people who control the money are not the smart people but the stupid people in the accounting offices. Most of whom are, you guessed it, accountants who do not understand the fuzzy logic of IT Security.
My mother is a CPA, and god bless her I love her very much, but if even so much as a cent is out of place she goes nuts finding it and find it she does. That is her job and what she understands.
When I try and help her with IT issues the same binary thought process kicks in. She will complain that "my computer is slow" and the response is to buy a new one because binary logic says that if the computer is slow it is because the computer is old and should be replaced.
To an IT Security person we would look at the system from a holistic perspective and not from the single variable. The main reason her laptop, which was only 1 year old, was slow is that she loaded it with junk programs and the operating system did what it always did and filled up with Cr@p. So over time the system kept tracking down a death spiral until it started blue screening.
In that there lies the other problem we face to get budget needed to meet the objectives outlined by the stupid people. The level of complexity of information security issues can't be solved by buying a new shinny widget (laptop). The business must be understood and the impact to the business must be made clear if the IT assets supporting the business are negatively affected in any way.
Yet the stupid people, who control the money, don't understand that this level of detail isn't a nice thing to have it should be a required thing. But seriously look at who is really running your show (business) and ask yourself "would they know how to get to grep?" or "do they understand what happens when they ask to run a network scan at 2 pm on Thursday before payroll gets sent out the next day?" or, and my personal favorite "I need an exception to Proxy rules for one person.... to which I say why? and the response is "because" and I say this will mod the Proxy for the entire agency... and the response is "So?"
Just remember who we are all dealing with. I'm not saying these people are bad or even malcious in their intentent. It's just that dumb and dumber are running the show and those of us who have a clue are out in the cold wondering how we got locked out of the warm cabin again.
Proving to the dumb and dumbers that money spent on IT Security is worth while will never be an easy chore because we will always be a cost center.
What do CFOs love to do most and most often? Seek and Destroy cost centers! It is there mission in life and forget trying to explain that not upgrading an network intrusion sensor will leave them vulnerable because the requirement states they have to have NIDs in place.
It falls back to the CPA that says I have NIDS so I am good to go. When in reality the NIDS in place are worthless beacuse the are end of life and can't upgrade to cover the lattest IDS signatures.
But the CPA that lives in every CFO and manager says I'm covered so why worry?
