Wednesday, August 29, 2012

Do security like a start-up or get fired - Manage risk

This is part of a blog series. For more details, start with the intro.

Manage risk appropriately, not compliance

If it was all about compliance, we wouldn’t be hearing about the constant data breaches supposedly PCI-compliant organisations keep being subjected to. Sure, if there are compliance measures to meet and audits to pass, these need to be addressed. But the minute information security becomes more about passing audits and being compliant than managing risk, you’re in trouble. In other words, don't fall victim to check-box security syndrome.

The most important word in the title is: appropriately. Don’t put in security for the sake of it. Just because you can lock something down to the nth degree does not mean it needs to be done. Always bring it back to the question around what you’re trying to achieve. Remember, it’s about trust, brand, reputation.

Next up - Own your security.

No comments: