by Simon Biles
I have, occasionally in the past, mentored people in (on?)
Information Security – once for money (this is not a revenue stream that
I’ve mastered by any stretch of the imagination!), but more often than
not, informally and infrequently. What there is in common with most
people who are keen, but still a bit wet behind the ears, is an
idealistic world view where Information Security, as a totality, can be
obtained. It sometimes seems a bit like kicking a puppy to have to break
it to people that, irregardless of how long, how much money and how
much technology you throw at something, it will still have
vulnerabilities and risks. Even the proverbial “unplug it, stick it in a
safe and throw away the key” is still vulnerable. I’ve seen “Oceans 11″
– I know what can happen to a safe.
The reality is what we do for a living is to make security “good
enough” – we are risk managers, risk mitigators, risk avoidance and risk
acceptance professionals. We know what can happen, and then we decide
if spending £x on it is worth it. Where we go wrong, inevitably, is that
we sometimes have absolutely no idea about the value of the
asset that we are protecting. How can you determine if a countermeasure
or control is appropriate if you don’t know this figure? The real
problem is that very often the business has no real idea either...
Read more
No comments:
Post a Comment