A colleague with an approved and funded internal mandate to spend employer money on security improvements faces an internal raid. Other, financially strapped parts of the enterprise must scramble for money to forestall layoffs. No matter how notorious those others may be for extravagant spending patterns and chronic inattention to budgets and deadlines, the larger organization must save them. Otherwise the specter of layoffs will cloud this workplace forevermore. Or so the prevailing wisdom goes. Welcome to a smaller, personal version of "too big to fail."
How does this connect to security regulation? Well, the only functions spared from this plundering are those cringing behind the force field, Regulatory Compliance. No problem, you say? Surely this protection extends over my colleague? Not at all. You see, my colleague is guilty of bureaucratic transgressions: basing security investment on an analytically supported business case and playing by the rules to make this case, obtain approvals, and run an above-board program with total transparency and multiple audits. In a bureaucracy, however, none of these steps matches the force field's value in shielding security investment from raiding. If, instead of doing things the hard, responsible way, my colleague had a handful of regulations to brandish, the raid would be defeated.
Security is no toggle switch to turn on and off instantly just before an attack. It is a rheostat that takes time to put in place and to calibrate for adjusting to the needs of moment. But my colleague working to put this rheostat in place is now stymied by internal antibodies that do not understand or want to understand this subtlety. For them, if the money is not going into core business or into regulatory compliance, it is up for grabs. And thus the predatory and myopic impulses of bureaucratic self-preservation override the best efforts of a security professional to protect an organization from everything but ... itself.
-- Nick Catrantzos