Home > Information Security Magazine > Columns > Editor's Desk: Risk is the new black
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Editor's Desk: Risk is the new black
by Michael S. Mimoso
Issue: Jan 2008
printer-friendly
< PREV PAGE   |   1  |   2  |   NEXT PAGE  >

Information Security celebrates its 10th anniversary with a new theory on risk management for the next decade.


Cramming 10 years of information security into 64 pages this month required a mighty big shoehorn, not to mention months of planning, hundreds of hours of research, interviewing and reporting on the happenings of the last decade in order to justly commemorate this publication's 10th anniversary.

It was a blast putting this issue together because it gave all of us a chance to reconnect, or connect for the first time in some instances, with the pillars of this industry. We're fortunate to have access to these people that many in our readership don't enjoy, and it's our job to foster those relationships and share their insight, advice and leadership with you.

So in homage to that spirit, I bring you a new direction and some food for thought as we begin the next 10 years of our existence.

At our Information Security Decisions conference in November, one of our Security 7 award winners, Tim McKnight, suggested we might change the name of the show to Information Risk Decisions because managing and prioritizing spending and security programs based...



on risk is essentially the only way that makes sense.

Well, luminary Donn Parker, one of the first to research cybercrime, begs to differ. I interviewed Donn for this issue (download the complete interview at searchsecurity.com/10thanniversary) and he's not buying the current groundswell of interest in risk management. He said so in an ISSA Journal article last year, and reiterated it to me a few weeks ago.

"Reducing risk is a very weak objective for information security, because it is not measurable," Parker says. "How can you have risk management--which is an oxymoron--work, if you cannot measure the risk in any valid way? I think it's important to recognize that nobody has ever publicly done a study showing the validity of risk assessment and risk management."

Parker says he's getting support on his theory because CISOs are starting to discover that risk management is a failed methodology. Rather than selling risk to upper management for project approval and spending, he suggests CISOs have other critical objectives for security than merely risk reduction, namely: compliance, diligence and enablement.


< PREV PAGE   |   1  |   2  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts