Based on various interactions and discussions that I had with organizations, customers and various people, I understand that dealing with “Security Assurance” is currently a major concern and issue.
How can a CIO/CISO be sure that their organization is making the right bets on the right security investments? How to be sure that these investments are effectively addressing the right security issues (of relevance to the business), especially in an ever changing IT and social environment (with dynamic threat environments)? How to get proper feedback about the current, overall situation, have a reasonable understanding of involved risks and exposures and be in the position to make informed decisions?
This is actually a “recursive problem” involving various decision makers and managers in the organization ladder. It impacts their ability to define proper policies and protect organizational assets.
“Security Assurance” is of particular relevance in case of outsourcing and/or usage of services in the Cloud, when organization loses control on their IT stacks and related “control points”. Just relying on contractual agreements and hoping that everything is going to be fine is not a satisfactory approach.
I do not think that current bottom-up “security monitoring” and risk assessment tools/solutions can address this kind of challenges. This is really and area open to contributions and innovation.
Incidentally, all the above points also apply to the “Identity Management” vertical (Identity Assurance …).
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment