|
Overcomplicating Information Security and Risk Management
by Drazen Drazic |
|
If I had to highlight a key problem area for organizations when it comes to how they approach Information Security and Risk Management overall, it would be the over-complication of their implementation(s), or lack thereof. (Sounds strange for the latter but it’s that “complication” that also results in the “lack thereof”).
Technology has done little to simplify Information Security for organizations when viewed away from a point solution perspective and judged from an overall enterprise perspective.
As new layers of technology are deployed to supposedly further enhance security, what we are seeing is not an increase in security but rather additional complexity and the whole security program becoming so complicated that few if any individuals have that holistic oversight about their organization’s actual security position. When you don’t have this definitive view, you have critical failure. This article; “The 7 Reasons Why Businesses are Insecure” looks deeper into how simple approaches, being neglected contribute to the overall failure of an Information Security program.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Free Guide: Web Application Security
How to Minimize Prevalent Risk of Attacks
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Risks, Impacts, etc etc…..what do they mean in the whole scheme of things when they are rarely assessed outside of a specific system or application as discussed here? You’ve only got a fraction of the relevant data upon which to base a decision and/or strategy upon. The foundation principles of Risk Management have been forgotten! Yet, every major organization has a Risk Management group! What are they then doing for Information Security Risk Management? Ask them. I can guarantee you that they’re more than likely just doing project risk analysis, (and any Project Manager worth his salt can generally do that). Why? Because it’s all too complicated for them.
The foundation principles of Information Security and Risk Management haven’t really changed in the last 20 or more years but we seem to move further and further away from the basics - trusting in each new generation of the next big security software, appliance etc to deliver us some simplicity. Or, are we just hoping that it’s taking away accountability and the burden of us having to think and plan better? I’d say it is.
Related links:
- Review of Information Security and Risk Management Practices - Complex or Staightfoward Exercise?
- Workarounds, accepted mediocrity and questionable future benefits
- Risk Management - Great in meetings, not so much in practice
I welcome your thoughts and feedback.
Tags: information security, risk management
This entry was posted on Tuesday, September 22nd, 2009 at 7:57 AM and is filed under Community Manager, Featured stories, Guest Bloggers, IT Decision-making, Information Technology, Networking, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Comments
-
Anon says:
We have lost touch with reality and common sense. Well said. Now to send this and links through to my management who will discard them because the concepts are not complicated enough.
Like or Dislike:
1 
0 -
Anon Girl says:
My Philosophy
The economic reality is the more systems we use, the more complicated the procedures we follow, the more equipment we have and the more information that we handle, the bigger the risk and the more it costs to maintain and protect.
• If you don’t need to keep it – Don’t.
• If it can be done just as well simpler – Do it.
• If it has been replaced –Get rid of it.
• If you don’t need to use it – Move it.Like or Dislike:
1 0 -
It’s amazing how many risk management solutions are founded in the concept of simplicity. When you look at the heart of any risk management planning, it’s all about proactively managing and simplifying what you can to decrease your risk.
Like or Dislike:
1 0
|
| Impact of Design On Trust We attended RSA 2010 this week where VeriSign was a Platinum Sponsor. Executive Chairman, Jim Bidzos, gave a Keynote Address on the 'Internet and Trust' explaining that without trust, people are less likely to freely share information or transact online.... Launch of VeriSign Trust Seal With the launch of the VeriSign TrustTM Seal last week, we introduced a new section to the Website dedicated to the Trust Seal. The Seal enables Websites to communicate that they are a trusted site to do business with and... New Video Player Experience Videos on www.verisign.com have a new look and feel. Users will experience an improved delivery of videos that are optimized for their available bandwidth. During playback when hovering over the video, users now have the ability to quickly share (e-mail,... |
|
| PayPal UK Launch Security Key - Guest Posting from PayPal I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly. Facebook scam - Part 2 This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info. Survey finds passwords are not secure - well d'uh! I don't think the vendor community has been crying wolf about the problems that stronger authentication solves, more like highlighting that this problem is here and growing. Well the discussion I have had recently with many different organisations across many different industries are now resulting in more and more consumer projects in this area |
|
| Open Identity Exchange: enabling all the VISAs of identity The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards... Rethinking Internet Trust and Reputation Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the... Google Hacked or Why the Cyber World Could Get M.A.D** As the world already knows, Google and a few other prominent US companies got severely hacked around Christmas time last year. Sophos has an interesting analysis of the exploit. Web malware and a zero day vulnerability in IE6 were... |
|
