This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
Information Security celebrates its 10th anniversary with a new theory on risk management for the next decade.
It was a blast putting this issue together because it gave all of us a chance to reconnect, or connect for the first time in some instances, with the pillars of this industry. We're fortunate to have access to these people that many in our readership don't enjoy, and it's our job to foster those relationships and share their insight, advice and leadership with you.
So in homage to that spirit, I bring you a new direction and some food for thought as we begin the next 10 years of our existence.
At our Information Security Decisions conference in November, one of our Security 7 award winners, Tim McKnight, suggested we might change the name of the show to Information Risk Decisions because managing and prioritizing spending and security programs based on risk is essentially the only way that makes sense.
Well, luminary Donn Parker, one of the first to research cybercrime, begs to differ. I interviewed Donn for this issue (download
| the complete interview at searchsecurity.com/10thanniversary) and he's not buying the current groundswell of interest in risk management. He said so in an ISSA Journal article last year, and reiterated it to me a few weeks ago.
"Reducing risk is a very weak objective for information security, because it is not measurable," Parker says. "How can you have risk management--which is an oxymoron--work, if you cannot measure the risk in any valid way? I think it's important to recognize that nobody has ever publicly done a study showing the validity of risk assessment and risk management."
Parker says he's getting support on his theory because CISOs are starting to discover that risk management is a failed methodology. Rather than selling risk to upper management for project approval and spending, he suggests CISOs have other critical objectives for security than merely risk reduction, namely: compliance, diligence and enablement.
This was first published in January 2008