Comments on Dr. InfoSec™: Data security 'flouted by workers'

Dennis's point about cost justification reinfo...

2009-06-30T08:09:40.657-07:00

Dennis's point about cost justification reinforces the first bullet point in my original post. Without appropriate support for Information security, companies are locked in a reactive cycle of risk management.

In order to evolve from a reactive stance (event occurs, costs incurred, security gets management's attention) to a pro-active stance (i.e. actively track and manage risks), executive management and information security have to improve their ability to communicate.

In a perfect world, both sides would modify the way they communicate to reach each other. In practice, the information security side has to find the right approach to reach their management's attention to appropriately convey the business impact of non-action.

You forgot about cost justification. Most people ...

2009-06-30T07:47:28.847-07:00

You forgot about cost justification. Most people won't initiate any security initiatives until an outage, attack, or outbreak impacts their bottom line.

Information Security has at least made it from the back room to the board room. And those in the board room are extremely concerned about how much money an incident cost them. If the focus towards security is measured as a cost to prevent the cumulative cost from an incident, then the you will win the backing of the higher management teams.

Let's face it, they don't care about the bells and whistles, they just want to know that the money spent is going to keep the company name, and theirs, from being in the media for a breach/incident.