Thursday, October 1, 2009

Josh Corman at IANS

Just attended an interesting keynote by Josh Corman at the IANS event in Boston this morning. Very though-provoking stuff - he also has an article about it in CIO magazine.

Being a good marketer, Josh trimmed down the 8 secrets to 7 (but wait!, one was free and he counted from zero, so we are back to 8 :)). I had previously discussed one of his takes in this blog.

The interesting part about listening to the discussion live, is Josh's emphasis on risk. He believes that we as security professionals have been so caught up with managing around compliance mandates, we have not stepped back to think about what risk we are mitigating.

Excellent point - especially when it relates to projects on hand. Would you do disk encryption based on the knowledge that 31% of all breach incidents are the result of lost and stolen laptops? Of course you would. However, would you rethink your decision if you also know that these lost laptops account for only 9% of all data lost? Hmmm does FDE only reduce risk by 9%?

That begs the question, what else reduces risk by a larger percentage? Interesting topic and subject for another post....

No comments: