|
| Recent
Articles |
How The Rise Of SaaS Relates To SOX, SAS...
The growing popularity of Software-as-a-Service (SaaS) is having a significant impact on data security and regulations compliance. Most companies are...
IT From A Different Angle
Nick Carr's new book, The Big Switch, takes on IT from a different angle and rests upon a metaphor -- that IT will not matter because it will move to grid computing in the same way electricity moved to the grid.
From the...
50 Ways To Optimize For Christmas
Jessica Hupp and her team at VirtualHosting.com have come up with over 50 ways that you can optimize your website for Christmas. Read the entire post here.
Halloween IT Horror Stories: Users
Ok, they can't help it, but IT users provide most of the fodder for the jokes that we tell around coffee, or with our incredulous friends. People can not be that weird, but the sad reality is that not only can users disrupt and...
Gmail Vs. An In-house Mail Server
I suppose I need a disclaimer here: I sell mail servers. Specifically I sell Kerio Mailserver and that represents a good chunk of income for me. Therefore, you...
GPL Lawsuit Filed
The SFLC Software Freedom Law Center has decided to step in and deal with the spat between BusyBox and Monsoon Media. Microsoft fanboys are going to be nodding their heads in understanding, then get...
IT - The Machine Has No Soul
The reason the human will always be required at some relevant level in the implementation and use of computing technologies is pretty simple - the...
|
|
02.19.08
Is Your Security Department Necessary?
 By Dan Morrill
"What do you do that provides value to the company?" With all the companies I have worked with and have worked in over the last 20 years, asking this one question seems to get everyone slack jawed at the interview.
Of course, managers are usually happy with this question while many tech geeky folks are incensed that I would not know what a security department does. While in general we all have an idea of what a security department does, the real question is "what does your security department do for you to make business safer".
The security department is responsible for working with business to bring more secure services to customers, internal and external.
If you are not doing the above, in a sound way, that accommodates budget, (part of every business project should be a security budget), all levels working with each other (developers, security, business analysts, managers, and the eventual owners of the project), and at least trying to identify risk, then the department is not doing what it needs to do. The security department also must have an A level executive sign off on risks, then the initial reason to exist, working with, is not being met.
The failures to do this are legion; there are enough horror stories out there that have customers and business partners quite rightly asking, "What is up with that company". From missing laptops, to credit card systems, to internal business data, e-mail from media sentry, the whole gamut of security issues.
We know all the stories.
What have we done to address the risks that those stories entail?
The security department is responsible for working with business to bring more secure services to customers, internal and external.
We fail.
This gives people like Peter Tippett the opportunity to take us head on, and tell us that our priorities are all wrong, because we are not:
The security department is responsible for working with business to bring more secure services to customers, internal and external.
Doing this.
Walk in to work tomorrow and ask your information security manager:
What have we done to address the risks that this project entails?
It might make it a bad day, or you might just get the attention of many people in the department. Depending on which way it goes there are three ways that this will work out.
The manager will know exactly what the risks are, and how they are being addressed, this is the best case scenario, and the most unlikely.
The manger will not know what the risks are, and will ask you to figure them out. This is the more likely scenario, and one that means much work for the person asking the question. In the longer run though, this means a safer more robust system. This might also tick off everyone you work with, because that means that they have to do more work, or the work they are paid to do. Either one of these will make you instantly unpopular.
The manager will not know, nor will they care, why are you asking. This is the worst-case scenario, meaning it is probably time to find a different environment or wait for that manager to go before you have an informed and effective security department.
This is part two of "stop wasting time and money" or a "perfect world viewpoint" of what information security should be doing for a company.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
