But it doesn't have to be that way.
The key is to start with the basics. By doing so, an organization can actually evaluate their current program and begin implementing an improvement plan, complete with a two-year roadmap, in as little as 90 days.
It begins with defining current and future business requirements, then identifying the gap between the organization's current and desired security state, and ends with creating and implementing a plan to reach that desired state.
Define current and future business requirements: The objective of an information security program is to help keep an organization up and running by protecting the integrity of its information assets.
It follows, then, that the ideal information security program supports rather than hinders the company's ability to achieve current and future business goals. That's important to keep in mind in order to avoid putting measures in place that will eventually be circumvented because they get in the way of doing business.
Defining current and future business requirements includes outlining the company's strategic objectives, assessing the current and future business environment, and identifying tactical security issues requiring immediate action.
Identify your information security gap: The next step in developing an information security program is to evaluate the state of the current information security program and set goals for a future program.
The components of an information security policy fall into three major categories: people, processes, and technology.
This is not an exhaustive documentation of the existing environment. Rather, it is an evaluation of how well the program has worked to date, if metrics are in place to measure its effectiveness, and whether independent reviews of the program have been completed.
In planning a future information program, the initial analysis should be broad and unconstrained since the goal is to define a long-range plan that can be tailored over time.
The result of these analyses is the information security gap, which is the difference between the current, and desired state of the program.
Such an analysis might find, for example, that the company is not in compliance with industry regulations for information security. Or perhaps several high risk areas were found to exist within critical components of the business. Or maybe it became clear that the current organization is not capable of managing an information security program.
Develop an information security roadmap: Creating an information security roadmap is the final and most important step in the development of an information security program.
This roadmap leverages the recently established information security gap analysis to devise a plan for getting the program from its current state to its future one.
Typically, one or more major program areas will have serious issues to be addressed. When analyzing potential solutions, it's tempting to get bogged down dealing with proximate, pressing tactical issues and forget about long-term strategies. In other words, to opt for making immediate improvements when something goes wrong.
Of course, some tactical issues do require urgent attention.
Regulatory compliance requirements, for example, must be addressed in a timely manner in order to continue to conduct business. In fact, it is appropriate for some organizations to develop a three-month tactical plan just to address high visibility issues or to earn some quick wins and, in turn, gain more support for the program.
But regardless of the level of detail of tactical and strategic issues a roadmap includes, it must also take into consideration the cost of a safeguard compared with the benefit of its implementation as well as the time it will take to deliver it.
Alternatives must be included and presented to management during the course of the analysis so that it is clear how each approach impacts revenue, productivity, customers, compliance issues, and company image and brand.
Every organization has gaps in their information security infrastructure. And closing those gaps can only be accomplished by following a clear roadmap based on careful evaluation and analysis.
But by devoting as little as 90 days to defining current and future needs, pinpointing areas for improvement, and devising a prioritized plan for taking action over time, organizations can be well on the road to ensuring a more secure enterprise environment.
Mark Egan is Symantec's CIO and vice president of Information Technology. He is responsible for the management of Symantec's internal business systems, computing infrastructure, and information security program. Egan is author of "Executive Guide to Information Security: Threats, Challenges, and Solutions" from Addison Wesley and was a contributing author to "CIO Wisdom."