Can IT Compromise On Security Without Being Compromised?
Written by Evan SchumanOctober 15th, 2009
When it comes to security, IT’s job is to do whatever it takes to keep the chain’s data safe. But with budgets being universally tight—and nowhere more so than in IT, where the only things offered are potential cost reductions and risk avoidance, with no revenue boosts in sight—compromise is mandated.
But how far does a chain have to go? And what choices are reasonable, and which ones are a little too dangerous? Those are the first issues StorefrontBacktalk is exploring in a series of GuestView columns that will be appearing on a new blog launched by security vendor McAfee. The first of our columns launched Wednesday (Oct. 14).
-Dan Stiel
October 15th, 2009 at 10:02 am
I’ve been in Info Sec for a while (I undertook my first security investigation in 1984). Early in my career, there were a lot of folks in the field who viewed this as a “yes/no profession”. Those individuals found their careers limited and their opportunities curtailed. InfoSec HAS TO BE a “here’s how” profession.
InfoSec decisions are a business risk decision. Few if any risks can be completely eliminated, and expense increases the farther a business proceed along that path. The value a good InfoSec leader brings to his company is the ability to define and prioritize the risks associated with technology decisions, allowing the business to make an informed decision regarding the tradeoffs involved in mitigating vs accepting risk.
The answers to those questions are as unique as the individual business. They vary based on dozens of factors including technology, culture, risk tolerance, regulatory environment, and corporate ethics.
The InfoSec manager has to be aware of when and where he is in conflict with those constraints, and act accordingly. Discomfort with risk tolerance or culture may require adjusting personal preferences, or changing companies to one that more closely aligns with his preferences philsophically.
Conversely, violations of law, ethical misconduct, or violations of professional codes of ethics require significantly greater moral courage and represent infinitely greater personal and professional risk. It will be interesting to watch your guest columnists discuss these situations…..
October 15th, 2009 at 1:25 pm
Thanks, but anyone looking to my columns for guidance on moral courage is in a serious world of hurt, as it were. That’s sort of like watching Three Stooges shorts in search of spiritual fulfillment.