During the course of my conversations with people at TechEd last week on item came up time and again - many of you work with people who panic when there's a high profile security story in the news - the result is that you are tasked with interrupting your work to go through the motions of "dealing with the event". This many seem like a wierd thing to say as clearly it's important to ensure that you have in fact ensured that your systems are not at risk. The problem is that in many cases you've delt with the problem way before it hits the news and hence spend a great deal of time explaining this to your management.
It's very difficult for someone who's non-technical to get a measure of how secure(or not) your systems are. Picture working in their shoes for a moment - security tends to be subjective and they have to ask whomever they trust on the technical side of the business for their opinion as to the risk. It's hard as a technical person to prove that you have identified and mitigated the risks.
I'm interested to understand how you deal with these problems. Do you rely upon a formal risk management methodology to measure and compare your security posture? Are such approches viewed as being cumbersome?
Let's face it - it's very easy to tell when security's not working - headline stories about your organisation tend to give the game away. It's much more difficult to prove that all is well and that you invested in the right areas.
Please hit the comment button and share your views.