Insecure and unauthorized practices by insiders or trusted third parties can create significant risk to critical business systems
Flip through the pages of any IT or security trade journal and before long, you’ll find discussion of the need for security practitioners to map security to the business. The paradigm shift from ‘protecting information assets’ (i.e. security) to ‘managing IT risk (as it relates to the business) was in great part triggered by the Sarbanes Oxley Act (SOX), which set the precedent for making executive management accountable for the integrity of IT systems. Once the regulatory floodgates were opened, a slew of other regulations followed suit. Not to be left out, the private sector trumped SOX with the introduction of the PCI Data Security Standard -- arguably the most well defined and rigorous set of guidelines as well as the biggest piece of many corporate security budgets (and headaches) today.
A quick scan through recent headlines, however, reveals that “compliant” and “secure” are still mutually exclusive. What good is being PCI-compliant, or having a HackerSafe seal on your website if you get breached the next day? If you buy into the notion that the role of security is to enable business execution in as safe a manner as possible, then the operational element in risk management warrants some scrutiny – as more often than not it is chinks or glitches that occur as part of daily operations that if left unaddressed, can lead to bigger problems down the road. It might not be trendy to force attention back to bits and bytes, but a slight pendulum swing back in the technical direction may not be such a bad thing.
See full Article.
Posts
