Keeping the organization robust in a highly dynamic threat environment
Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in order to be accepted as scientific it is necessary to achive more. This way lies charlatanism and more. I confess that I prefer true but imperfect knowledge. . .to a pretence of exact knowledge that is likely to be false.
FRIEDRICH A. HAYEK
“The Pretence of Knoweldge,” Nobel Lecture
Modern information security models usually assume a pre-defined defensive structure of networks, systems, procedures, defenders and attackers – the properties of which usually specified by vendors (i.e. defining the problem by the solution).
The problem with such models is that, in reducing the organization to passive executives of defense rules in their firewalls, they ignore the extreme ways in which attack patterns change over time. Any security policy that is presumed optimal today is likely to be obsolete tomorrow. So – learning about changes is at the heart of day-to-day security management. Read more…
Categories: Anti-Fraud, Compliance, Data leakage, Information security, Internal security, Risk Assessment, Risk mitigation, Software security, Technology, Threat modeling Tags: data security, Fidelis, IBM, McAfee, Microsoft, Symantec, Verdaysys, Websense
Many risk management consultants tell organizations that they must perform a detailed business process mapping and build data flow diagrams of data and users who process data in order to achieve compliance and reduce the operational risk of information security.
This is a very bad idea.
Business process mapping is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why companies like PwC, IBM, EY and KPMG love business process modeling The added value of modeling data flows inside your organization between people doing their job is arguable. There are much better ways to make your organization robust to a major data loss event without writing out a 7 digit check for professional services and a BPM system from Business Objects, Cognos, Kalido, Oracle, Hyperion, Applix, Pilot, SAS or SAP.
There is a simple and effective way of figuring out data value at risk and mitigating data security threats:
Read more…
Compliance is like being at all the rehearsals with a sharp pencil and playing your part perfectly – but not showing up to the gig. Being inside a strategic inflection point of change is like waking up during your own murder.
Inside a strategic inflection point of change, the people inside the system are not sure what is happening and have trouble putting an analysis and a possible solution to their malaise into words. We are seeing a continued rise of data security breaches perpetrated by trusted insiders, competitors and malicious outsiders despite billions being pumpted into compliance and security technology products from companies like McAfee and Symantec. I doubt that during this current recession – we will see many companies look for carpet-bombing technology solutions to their data security issues.
Is the security industry is approaching an SIP – strategic inflection point?
Read more…
Categories: Anti-Fraud, Compliance, Data leakage, Information security, Risk Assessment, Risk mitigation, Threat modeling Tags: Data loss, IBM, McAfee, Microsoft, SIP, Symantec
Recent Comments