Fixing the #1 problem in IT Security
Somewhat off-topic, but something I seem to deal with on a daily basis with my clients. Roger Grimes has written an interesting paper: “Implementing a Data-Driven Computer Security Defense.” His thesis is that most organizations don’t match their defenses to the actual risks. His paper explains how it got to be this way, and how to fix it.
Many companies do not appropriately align computer security defenses with the threats that pose the greatest risk to their environment. The growing number of ever-evolving threats has made it more difficult for organizations to identify and appropriately rank the risk of all threats. This leads to inefficient and often ineffective application of security controls.
Worth a read for sure. Thanks Bruce Schneier for the find.