To a similar point, ‘feast or famine’ is a favourite phrase of mine.  I use it to describe folly of all kinds.  But it’s a great way to highlight a major organisational shortcoming too – the side-lining of known important activities in favour of short term pressures.  This is a tactic everyone uses though, surely?  Well, in the security field it’s not working and hasn’t worked for years.

“Little and often’ is another favourite.  I use it to describe a more virtuous method.  It seems that whether you’re seeking to keep fit, preparing for an important event or even keeping on top of expenses, it’s a phrase that describes desirable behaviour.  For many organisations, security spending has been far more ‘feast or famine’ than ‘little and often’, certainly as long as I have been in the industry anyway.  Could this be about to change?

It all used to be about compliance.  Security-related expenditure, that is.  As long as the compliance box was ticked, the CFO’s job was safe, and the operations team could avoid getting yelled at in review meetings.  But look at the last three months – it seems like the highest profile, most trusted brands are haemorrhaging customer information, credit card details and intellectual property to hackers.  I’m not using those terms licentiously either – RSA, Sony and even the X-Factor database have been compromised.  Those three events alone could add up to nearly half a billion compromised records.  Does this mean compliance measures are not working?  Well, the recent Verizon report suggests that where breaches have occurred, an overwhelming percentage of the companies that should have been PCI compliant, weren’t.  89% in fact.  But these recent breaches were all despite compliance systems in being place, which seems to increasingly be the case.

What does this mean in terms of brand confidence?  Here’s an example.  I spend a lot of money with Amazon annually.  In fact, I transact with them twenty or thirty times a year.   Their customer service is every bit as good as people say.  But, do you think Barnes and Noble or Play.com would get my business if Amazon lost my credit card number?  You bet they would.  Maybe this is where security is at an inflexion point.  Are we at the stage, where organisations have to make ‘pre-sale’ commitments to customers about the safety of their data?  Would I move suppliers in favour of someone who offered guarantees as to the safety of my personal information?  Maybe.

In any event, security is getting interesting again.  Do we now work in a discipline which, rather than being a perceived cost and burden to an organisation, could quickly become a competitive differentiator?  I can see it happening, but not while spending patterns are so ‘feast or famine ‘?  Maybe it’s time to start bidding for security funding not just for compliance and risk mitigation, but as a way that organisations can improve customer confidence, retention and intimacy through cast-iron security guarantees.

This may sound like blue-sky thinking – particularly in the context of things like Advanced Persistent Threats (APTs).  If a syndicate has enough time and resources, won’t they always find a way in?  Not if you have the right resources to hand.  Whether access to your systems has been socially engineered, or via a stealth APT that may have taken 6 months, a good logging solution is key.  Pinpoint and exploit early warnings, and use targeted resources to take remedial action and mobilise defences quickly.  Be warned though – feast or famine won’t work – this requires a little effort, often.

He’s having the worst day of his life… over and over again.’

Ring any bells? It’s the strap line from the film Groundhog Day which sees Bill Murray’s character, Phil Connors, caught in a time warp – repeatedly waking up to find that things are exactly the same as the day before.

The film charts Connors’ frustration at being faced with the same situations every single day and seemingly unable to start the next day afresh.

Whether it’s travelling the same daily commute, or having repeated discussions about the latest information security regulation directive, I’m sure we’ve all related to that character at some point. Particularly if you are a miserable old curmudgeon like me (in fact I think you will find that Bill Murray based his screen persona on yours truly….)

With a seemingly endless list of new or amended regulations being introduced, it’s no wonder that IT security professionals can often feel like they’re stuck in their own Groundhog Day.  No sooner does an organisation achieve compliance for one regulation, than another comes along, often bringing with it a sense of déjà vu for all involved.

Take the Payment Card Industry Data Security Standard for example. The first standard was introduced in December 2004, with the most recent revision in 2008, and an updated version due this October.  As such, the regulation seems to have been around for an eternity and it’s no wonder that mentioning the subject will trigger a glazed response from many in the industry.

This rings even more true in the public sector where there seems to be a never ending stream of new initiatives and guidelines relating to information management and technology infrastructures. In the UK alone, organisations are faced with, for example, GSI/GCSX, CoCo compliance and latterly Memo 22 replacement, Good Practice Guide 13 (GPG 13.)

Information security is an ever changing beast. As technology evolves, so do the risks posed which is why it’s imperative that organisations -public and private – don’t become complacent when it comes to compliance.

As Bill Murray found in Groundhog Day, the only way to escape the monotony of his time warp was to re-assess his attitude to life. Of course I’m not suggesting for one minute that we turn our lives upside down, but there’s a lot to be said for taking a proactive approach when it comes to guarding against risk.

In every information security related regulation, there’s a requirement in some shape or form to protect the information being held by the organisation – from credit card details to children at risk records.  Despite this, all too often security incidents are discovered after the event, once the damage has been done.

Protective Monitoring tools such as LogRhythm’s bring a new proactive dimension to information security-fulfilling multiple compliance requirements in the process.  By centralising and automating how log data is managed, organisations can gain a clear insight into network and user behaviour.  Any irregular activity is automatically flagged in real-time while reporting for compliance purposes is simpler and less time consuming.

As with most Hollywood films, Bill Murray’s ultimate goal was to get the girl. While I can’t guarantee that LogRhythm will bring similar results, it will help ease the Groundhog Day frustrations for those facing the continued compliance struggle.

Unless you’re happy living in Punxsutawney of course….