Another QOTD on good security

Organizations vary in their cultures. We expect, then, to find different cultural approaches to security management that apply to each organization [...] An important indicator as to the success of the security role is whether or not the protected population are inclined to comply with security controls, or work around them. Also, do they [users] feel like they can and should approach the security personnel when something looks awry.

I want a devil on my nuclear submarine [...] I want an entrepreneur in my consultancy and hospital. On a nuclear submarine the devil will be respected, but the entrepreneur will be less trusted or tolerated. In a consultancy, the response to the personalities will be reversed.
Posted by Chris Cronin in a SANS/GIAC discussion thread about good security (and reprinted with permission).

No comments: