|
Information Security celebrates its 10th anniversary with a new theory on risk management for the next decade.
Cramming 10 years of information security into 64 pages this month required a mighty big shoehorn, not to mention months of planning, hundreds of hours of research, interviewing and reporting on the happenings of the last decade in order to justly commemorate this publication's 10th anniversary.
It was a blast putting this issue together because it gave all of us a chance to reconnect, or connect for the first time in some instances, with the pillars of this industry. We're fortunate to have access to these people that many in our readership don't enjoy, and it's our job to foster those relationships and share their insight, advice and leadership with you.
So in homage to that spirit, I bring you a new direction and some food for thought as we begin the next 10 years of our existence.
At our Information Security Decisions conference in November, one of our Security 7 award winners, Tim McKnight, suggested we might change the name of the show to Information Risk Decisions because managing and prioritizing spending and security programs based on risk is essentially the only way that makes sense.
Well, luminary Donn Parker, one of the first to research cybercrime, begs to differ. I interviewed Donn for this issue (download the complete interview at searchsecurity.com/10thanniversary) and he's not buying the current groundswell of interest in risk management. He said so in an ISSA Journal article last year, and reiterated it to me a few weeks ago.
"Reducing risk is a very weak objective for information security, because it is not measurable," Parker says. "How can you have risk management--which is an oxymoron--work, if you cannot measure the risk in any valid way? I think it's important to recognize that nobody has ever publicly done a study showing the validity of risk assessment and risk management."
Parker says he's getting support on his theory because CISOs are starting to discover that risk management is a failed methodology. Rather than selling risk to upper management for project approval and spending, he suggests CISOs have other critical objectives for security than merely risk reduction, namely: compliance, diligence and enablement.
|
