Over the past few weeks I’ve run across, either personally or via press, case after case of companies with poor security practices. These aren’t small shops like Bob’s Bait and eCommerce site, rather big brand name organizations that have sophisticated security practices. So why do these things continue to happen?
Tag Archives | risk
I often open a keynote presentation by noting that organizations are undergoing a fundamental shift in security strategy – moving from compliance focused, to a risk based approach. That’s still ongoing, even for large and sophisticated organizations there is still a gravity towards ‘doing it for the audit’, rather than ‘doing it because there’s risk’. […]
I regularly get asked by new CISOs for information – benchmarks – on how much organizations like theirs should spend on security. That’s a deceptively simple question, and while there’s plenty of surveys that you can reference, none of them provide more than a rough starting point – there’s just too many variables.
There’s a lot of talk about aligning security programs and business or functional goals, but in practice, that’s much easier “powerpointed” than done. Business consequences of security decisions, and security consequences of business decisions in the broader context are all too often missed or ignored, sometimes even deliberately. As Obi-Wan said to Luke, “What I […]