Monday, June 22, 2009
Stupid Enterprise Security Thought Patterns
The rant regarding PCI continues and some of it has merit, however I believe we need to analyze the thought processes of those forced to comply for flaws and throw daggers at them...
PCI tells you what to do but not how to do it. Likewise many guidelines such as NIST RBAC tell you what to do but not how to do it as it should be. In the same way that the Chairman of the Joint Chiefs of staff doesn't deliver your milk, it requires us to acknowledge whose responsibilitiy it is to figure certain things out.
The notion of being spoonfed anything and everything in nice bite-sized chunks will almost always result in missteps in misspending and of course increase risk. Some within the blogosphere believe that auditors need to be held more accountable where at some level agree. I do believe that auditors need to be held to higher standards which implies higher competence which is distinct from accountability.
Enterprises need not only Chief Information Security Officers (CISO) but also wise technically-savvy Chief Security Architects that will acknowledge the the role of an auditor should be to help you assess the risks to the ecosystem where it is your accountability to decide how to secure it, secure it accordingly, check that a minimum number of effective controls are in place and where possible adhere to industry standards.
| | View blog reactionsPCI tells you what to do but not how to do it. Likewise many guidelines such as NIST RBAC tell you what to do but not how to do it as it should be. In the same way that the Chairman of the Joint Chiefs of staff doesn't deliver your milk, it requires us to acknowledge whose responsibilitiy it is to figure certain things out.
The notion of being spoonfed anything and everything in nice bite-sized chunks will almost always result in missteps in misspending and of course increase risk. Some within the blogosphere believe that auditors need to be held more accountable where at some level agree. I do believe that auditors need to be held to higher standards which implies higher competence which is distinct from accountability.
Enterprises need not only Chief Information Security Officers (CISO) but also wise technically-savvy Chief Security Architects that will acknowledge the the role of an auditor should be to help you assess the risks to the ecosystem where it is your accountability to decide how to secure it, secure it accordingly, check that a minimum number of effective controls are in place and where possible adhere to industry standards.
