Astrophysicists and information security officers have something in common: The universes they monitor are expanding at an inexorable pace, and turning back time, is not an option. We're being bombarded with competing demands around regulatory compliance and the next big thing in security, while the breaches we combat are having a larger impact. Our adversaries have gone from hobbyists to organized criminals, disclosure and privacy laws continue to be passed, the cost to clean up after attacks is rising, and reactive information security has proved ineffective. The stakes are a lot higher on all fronts, and the time for major change is clearly upon us.
It doesn't take a rocket scientist to realize that, in a resource-strapped world, prioritization is the critical component to setting an IT security agenda. Define the organization's most critical systems and data sets. Assess the risks associated with these assets. Decide which risks are acceptable, which are mitigable, and which can be transferred. Build a plan, and allocate resources appropriately.
If only it were that easy.
There's no one-size technology, process or approach to security. But after analyzing successes and failures and talking to industry leaders, one trend stands out: Organizations are shifting from yesterday's binary, yes/no, good/bad information security thinking to a pragmatic approach of weighing risks and acting accordingly.
Source: Information Week, http://www.informationweek.com
Timely, incisive articles delivered directly to your inbox.