Access your Pro+ Content below.
Service-focused security offers best value to organization
This article is part of the Information Security magazine issue of May 2009
The tactics and personalities assumed by security teams have bred some rather novel approaches for implementing and promoting security practices within organizations. We've likely all seen the iron-fisted security group, which prefers the stick over the carrot, and tries to garner support and compliance through the spread of fear and uncertainty. Having seen an information security manager brute force C-level executive passwords and post them for all to see, I long ago concluded this approach doesn't work. Too often, security professionals damage relationships with key stakeholders through such aggressive tactics. Other security teams attempt to raise awareness for their practice through the more benevolent approach of security metrics. But implementing metrics that demonstrate the monetary value of a security practice to the C-suite is a conundrum. Realistic security metrics related to monetary value simply don't exist and never will except in a very few unique, isolated scenarios. While their approaches are radically different...
Features in this issue
Identity management technology is adapting to meet enterprise needs. Learn what products can improve security and ease compliance.
Cut through the hype and learn the differences and benefits of intrusion detection and prevention systems.
Manual compliance processes are error-prone and drain corporate IT resources. Automated tools make a difference if you apply them to a well-organized compliance program.
Columns in this issue
A service-oriented approach is the best way to demonstrate security's value and win support for security initiatives.
Security researchers have declared they want vendors to compensate them for their independent search for vulnerabilities.
Security experts Bruce Schneier and Marcus Ranum debate whether users should have an expectation of online privacy.