[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F7AC227.9050900@opengroup.org>
From: capegeo at opengroup.org (George Capehart)
Subject: Soft-Chewy insides (was: CyberInsecurity: The
cost of Monopoly)
Michael Scheidell wrote:
>><cynical grin> Would that that would really help. I guess maybe in the
>>long run it might, but I'm not holding my breath. There's still the
>>small matter of connecting cause with effect and then implementing a
>>program that will function appropriately at all levels of the
>
>
> Just did a presentation to a bunch of AeA CFO's (AeA is American
> Electronics Association) where the fist slide I gave them a piece of
> paper that has to go with their 10K reports and said:
>
> Ok, as the CFO of a public company, would you sign this:
> (a bunch of legal gook I got from our SEC lawyer).
>
> Went through a high(board level) presentation with lots of pretty color
> pictures, talked about jail time and fines and informed them that the
> CFO is the one who will sign it..
> then when done, said 'ok, NOW who will sign this. You KNOW for a FACT
> that your IT department has taken care of this, right? you don't need an
> outside/third party audit to make sure the IT or internal security guys
> did their job, right?
>
> NO ONE. wanted to sign it then.
Heh. That's great. Wish I could have been there to see that. Sounds
like you really got their attention. But this brings me back to the
original concern: It's one thing to realize that you have a problem.
It's something else to fix it. And my experience has been that the
people who have the problem don't have a clue how to fix it. Clueful
organizations have a strong Information Security/Assurance *program* in
place. CFOs of those organizations *will* sign the document because
there *is* a formal risk management process in place which includes some
kind of certification and accrediation process. They are *very* likely
to be the approving authority on some of the systems. They are also
part of the governance process. If there is no Information Security /
Assurance *program*, there is a huge problem. This is the one I
continue encounter: When an external audit/assessment shows many
deficiencies, the response of the clueless organization is to; a) (try
to) patch the holes, and b) maybe offer up a sacrificial lamb. However,
the _root_cause_ of the existence of the problems in the first place is
the absence of a real program. In the absence of a program, even if the
holes are patched, within a year they will return or be replaced by
others. So the *real* solution to the problem is to patch the holes
*and* the organization . . . by implementing an effective program. One
would hope that, having had their attention focused on the existence of
symptoms, the CFOs will conclude that their organization is sick. Some
will. Some won't. Of those that will, how many will know what "the
cure" is, or how to go about getting it? *This* has been my
frustration: having enough time with the right people to educate them
on what the options are and what the solution is . . .
Cheers,
George Capehart
--
George W. Capehart
"We did a risk management review. We concluded that there was no risk
of any management." -- Dilbert
Powered by blists - more mailing lists