Wcf over secure transport
In my previous post – I noted both the importance and often ignored lack of relevance of internal audit and corporate risk management to the business of cyber security.
Audit and risk management are central to the financial services industry Just because audit and risk management are central to the financial services industry does not make them cyber security countermeasures. Imagine not having a firewall but having an extensive internal audit and risk management activity – the organization and all of it’s paper, policy and procedures would be pillaged in minutes by attackers. Risk management and audit are “meta activities” In the financial industry you have risk controls which are the elements audited by internal audit and managed by risk management teams. The risk controls are the defenses not the bureaucracy created by highly regulated industries. So – you can have a risk control of accepting (deciding not to have end point security and accepting the risk of data loss from employee workstations), or mitigating (installing end point DLP agents) or preventing (taking away USB ports and denying Internet access) etc…This is analogous to a bankaccepting risk (giving small loans to young families), mitigating (requiring young families to supply 80% collateral), and preventing (deciding not to give loans to young families). The important part is to understand that risk management and audit are “meta activities” and not defenses in their own right. Why risk management often fails in cyber security operations We note that attempts to apply quantitative risk management to cyber generally do not work because the risk management professionals do not understand cyber threats and equate people and process with mitigation. Conversely – cyber-security/IT professionals do not have the tools to estimate asset value. Without taking into account asset value, it is impossible to prioritize controls as every car owner knows: you don’t insure a 10 year old like you insure a late model . Unfortunately for the lawyers and regulatory technocrats – while they are performing cross-functional exercises in business alignment of people and
Tell your friends and colleagues about us. Thanks!
Share this
eset endpoint security 5 crack endpoint security 10