I was recently asked for suggestions to give to Chief Information Officers to improve their security posture.
My suggestions were as follows - I'd love to hear your comments to see what you'd suggest:
Here are my five tips for CIOs:
Sound advice; especially the need to get "audience review" of policies. I have a small selection of "tame" users who I can trust to give sensible feedback; when you've been in a security mindset for so long it's painfully easy to slip into jargon or to miss the obvious misinterpretation. I'd add "Be prepared to stand your ground with auditors" to the list!
Nik> Good suggestion - thanks
Unless you embrace risk as your ultimate metric, unless you understand risk and it's impact, you'll continue to chase every new control, every new fad, and be a slave to FUD.
Alex> Excellent advice and very well put
Alex & Steve> If it's all about risk, then why do we call it "Information Security?" Shouldn't it be Information Risk Management?
Ron> That's a very good question! Information Security is about more than Risk Management but it depends upon effective risk management. It's easy to obsess on technical controls rather than identifying and managing the risk
Steve> I beg to differ. Information Security is a component of Risk Management, not the other way around. What elements of Information Security go beyond risk management? The reason I'm pushing this is that risk is a universal language understood by the business. Security is a method for managing risk. To increase acceptance, Information Security needs to translate our language so it can be understood by business. That means talking risk. I've created a list of Risk Management resources at: http://www.securitycatalyst.com/?p=78
PingBack from http://blogs.technet.com/steve_lamb/archive/2006/08/11/446073.aspx
"If it's all about risk, then why do we call it "Information Security?" Shouldn't it be Information Risk Management?"
Well, many, um, "mature" (for lack of a better word) security organizations are changing their name to Information Risk Management.
PingBack from http://riskmanagementinsight.com/riskanalysis/?p=14