The Disconnect Between Security & The Business

Saw an interesting item this morning and decided to re-tweet it as well as include it in my blog. (http://jadedsecurity.net/2011/06/07/the-disconnect-between-security-the-business/) Yes, there is a disconnect between security and “the business” and I believe it is the primary driver for so many successful exploitations. What many businesses don’t yet fully grasp is that security is a business mandate, not an IT function. Security needs to be driven from the top down and not delegated to the “guys down in IT”. As the article says, “The new buzzword of the times is GRC (Governance, Risk, Compliance)…..”. Certainly, IT has an important role, but IT is not the driver. Governance, risk and compliance starts at the top. If businesses really want to reduce information security risk they need to have processes and procedures in place that are driven by governance mandates where risk is assessed and ultimately mitigated by compliance with the processes and procedures. It’s not inexpensive, but it is surely less expensive that a breach and all the associated costs.