It seems like the more I consider today’s information security environment, the more I feel like Ma and Pa Kettle negotiating a contract with a city-slicker. The math just seems to work differently depending on your audience.
[kml_flashembed movie="http://video.google.com/googleplayer.swf?docid=-4215496701990923822#" width="400" height="326" wmode="transparent" /].
I recently saw a graphic where CIO’s and CSO’s were asked if regulatory compliance has improved the organization’s security posture. As you would expect, the CIO’s strongly agreed with the statement while CSO’s leaned more toward strongly disagree.
Well, now another thought comes to us infosec professionals from the legal world. We are already under lots of compliance requirements like BASELII, SOX, HIPAA, PCI-DSS, FISMA and such. But now another thought we have to contend with is “legally defensible” IT security. I agree that this idea does have it’s merits trying to get everyone talking the same language of risk and management. It is challenging enough to get information security talking the business language, but now we have to learn legalese? I think I’ll look to see if translate.google.com can help out with that!
Thanks for reading & let’s continue to be good network citizens!