Timing is everything. Sometimes it works in your favor and sometimes it sneaks up and bits you in the butt. I wrote this last night (Thursday) and didn?t get around to posting it and then today I see several people pointing to this video on the very topic I wrote about. Oh Well, here it is a day late and a dollar short.
I?ve been thinking a lot lately about ?Risk management?. After all that is the core of a security professional is supposed to do. We help the business manage the risk that they face. Sounds great in theory but how well does it really work. What I?m seeing is a not real risk management so much as compliance management. We are tasked with ensuring that the business doesn?t fall below the compliance threshold and that is considered risk management. We talk to the business about issues and give them our input on what needs to be done and we are told ?that?s not required by regulation X or policy Z? so the business will approve the minimum that gets them ?compliant? and they then go on about their merry way.
Some will say that if this happens then you are just ineffective in selling your program or solution and maybe that is the case from time to time but I think it?s a much deeper problem than that. The business is focused on doing business and they push back on those things that they see as being a hindrance. They are more concerned about ensuring that Customer Connie and Client Clint don?t have to do anything themselves to protect their interactions with the business. They don?t want to negatively impact the customer experience and I get that. Very few people like it when they are constantly being asked to verify their actions online and they will go elsewhere if given the opportunity. The problem is that the business has taken the hard line and wants security to be completely seamless and invisible to the customer. Now the business has become the department of NO. No, we don?t want to deploy something that requires the customer to take action. No, we don?t want to deploy a solution that will slow the transaction by 1/2 a second. No, we don?t want to change the way we code we want you to install something that fixes (or hides)our mistakes for us.
The business has fully bought into the compliance mentality and doesn?t want to go beyond it. They tell us that they want us to manage risk but what they really mean is that they want us to ensure that they are not at risk of being out of compliance. Unless of course the compliance requires too much of them they they want either a compensating control or to accept the risk and hope that it never comes back to bite them. Then once it does they blame security because we didn?t push hard enough or didn?t inform them of the potential for it to be this bad. Of course the 20 different emails and slide decks where we laid all of this out doesn?t matter at this point. It?s still our fault for not doing our job.
Source: http://www.andyitguy.com/blog/?p=992
j cole aaliyah alphabet hurricane preparedness hurricane preparedness bach ocean city md
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.