Friday, April 10, 2009
Explaining Security to Business People
Not invented here is a common attitude in many enterprises when it comes to many things but security is even more challenging in that it requires others to acknowledge that their thinking is incomplete and adhoc schemes are not enough before they are willing to spend time and effort to quantify additional requirements.
Security is a business issue and many decisions should be made by business people, however there is no framework that helps business people who generally aren't as passionate as IT in seeking enlightenment to participate and make informed decisions. Imagine what would happen if business customers came up with their own scheme to implement either disaster recovery and/or high availability? They will probably come up with ways that are either expensive and ineffective, or simple and ineffective. There are many ways to handle HA/DR requirements but usually you have to specify the need before you can decide how to do it.
So, what are security professionals not doing that HA/DR types have figured out? Maybe this can be a conversation at an upcoming OWASP conference?