Wednesday, August 22, 2007

Gartner on Security and Risk Management

Anton Chuvakin pointed me to this blog article on a Gartner Group Security & Risk Management blog. The article lists a number of common pitfalls in security. Interestingly, the following points are among those made by the analyst who wrote the entry:

5. Most likely to result in less security:
Compliance efforts

6. Most likely to result in more compliance:
Security efforts

Much of the focus that the information security field has at the moment is directly caused by C-level requirements to be "in control" and "compliant". Gartner Group makes the point (which I have tried to convey for a long time to many of my own clients) that compliance will not lead to security, but that increasing security will lead to compliance.

In the whole compliance debate, goal and means have been confused for too long. The goal of the whole compliance process is to protect stateholders interests, and some of the means that can be used to achieve that, are security related. Compliance is not the goal. Protecting stakeholder's interests is.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.