This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
Compliance is a straightforward exercise, Parker says. Fines and the threat of imprisonment make compliance a no-brainer objective for security and management.
Diligence, or benchmarking your organization against that of a successful security operation, is a powerful tool to wield with management in order to motivate them to take action. These benchmark tests, Parker says, can be done in confidence with a peer CISO in order to establish a baseline of security success against which your organization is com- pared. "If you want to make sure you are doing as least as well as your competitors are doing in security, here is a list of things you must improve," Parker says.
Finally, enablement happens when security is the competitive differentiator between two services.
Parker believes CISOs would open a wider pipe-line to the top by basing their programs on these three objectives.
"I think that it is difficult to use risk reduction in selling security to top management, because top management is used to dealing with business risks every day," Parker says. "They look at risk assessments provided by CISOs and say 'OK, we've got risks, but we've got risk every day. We'll just let that risk lie there. We have more serious business risks to deal with.'"
Is that happening in your organization? Do you think it is time to reconsider risk? Donn Parker says so, and
| that's a pretty big endorsement. I wonder if when it comes time for Information Security's 20th anniversary issue whether we'll look back at his thinking as an inflection point for the coming decade.
This was first published in January 2008