During the course of my conversations with people at TechEd last week on item came up time and again - many of you work with people who panic when there's a high profile security story in the news - the result is that you are tasked with interrupting your work to go through the motions of "dealing with the event". This many seem like a wierd thing to say as clearly it's important to ensure that you have in fact ensured that your systems are not at risk. The problem is that in many cases you've delt with the problem way before it hits the news and hence spend a great deal of time explaining this to your management.
It's very difficult for someone who's non-technical to get a measure of how secure(or not) your systems are. Picture working in their shoes for a moment - security tends to be subjective and they have to ask whomever they trust on the technical side of the business for their opinion as to the risk. It's hard as a technical person to prove that you have identified and mitigated the risks.
I'm interested to understand how you deal with these problems. Do you rely upon a formal risk management methodology to measure and compare your security posture? Are such approches viewed as being cumbersome?
Let's face it - it's very easy to tell when security's not working - headline stories about your organisation tend to give the game away. It's much more difficult to prove that all is well and that you invested in the right areas.
Please hit the comment button and share your views.
I have a different perspective. I work for a security solution provider, so I am the one that IT Directors, CIOs, and other execs call to be their second pair of eyes. I never want to over-sell to a company, but I have caught way too many IT guys with their hands in the cookie jar. I think you should always have an outside audit done. The frequency and depth is up the size and budget of the company, but a 3rd party audit should be mandatory for everyone. That's why most security regulations require it.