back to article Disbanding your security team may not be an entirely dumb idea

Disbanding your security team may not be an entirely dumb idea, because plenty of other people in your organisation already overlap with their responsibilities, or could usefully do their jobs. That's an idea advanced by analyst firm Gartner's vice president and research fellow Tom Scholtz, who has raised it as a deliberately …

  1. Fat_Tony

    I met one chief security officer who said his team is known as the 'business prevention department'

    Just one?

    Most of IS guys I worked with find it easier to prevent work going ahead as it generally avoids introducing perceived risk. The perception is that saying no makes their lives easier, and as they tend to be super nerdy techie types, their interpersonal skills may not be the best which feeds the perception. That said if you ask the right questions, you usually find out what you need to do to get their approval but it does take several attempts

    1. Sir Runcible Spoon

      Re: I met one chief security officer who..

      If this is the perception then they're not doing their job properly.

      It isn't the job of the security team to prevent people from doing business, but they are responsible for telling the business if there is a more secure way of doing it.

      Failing that, document the risk and potential impact and get sign-off from the stakeholders and do what you can to mitigate.

      It should never be about preventing business, after all if the revenue dries up there won't be anything left to secure - compromise is required, but that requires adult conversations between 'The Business' and 'IT Security' to achieve.

      Since that seems quite difficult to most people they default back to 'computer says no', which is wrong.

      1. Robert Helpmann??
        Childcatcher

        Re: I met one chief security officer who..

        Appropriately enough, I had one of those conversations today. Worked out well, thanks very much. The programmers got an immediate band-aid and an acceptable long term solution.

        What I see in proposals like this is a simple alternative to the way things are normally done getting enough attention to have a temporary effect. It isn't inherently better or worse than other methods, but the initial enthusiasm for the change can have things get better (or worse, if there is none) for a while. Enthusiasm eventually peters out. What gets you through is good, robust methods, training, documentation and... well all the boring bits of doing work in a technical field.

        1. Anonymous Coward
          Anonymous Coward

          Re: I met one chief security officer who..

          Also, "how about .." always works better than "no".

          Most people I know don't purposely develop something that is unsafe, they just lack expertise, time or even budget. In a way, you're negotiating a change in their project and even if you have the Power Of The Board™ in your pocket, it's far more diplomatic and effective to guide and educate than to command - you can reserve the 250kg gorilla moves for when there is really no other way.

          In that respect I'd also suggest you exercise caution when someone seeks to calmly guide you - those are the people with real power. The red-in-the-face, I-am-one-level-up-and-ye-shall-obey idiots usually are that way because they know they don't amount to much, and nowadays I don't even accept a job if it requires working with people like that, I have better things to do.

    2. Commswonk

      Re: I met one security officer who said his team is known as the 'business prevention department'

      I immediately thought of Mordac the Preventer of IT Services.

      See Dilbert passim.

    3. Anonymous Coward
      Anonymous Coward

      Re: 'business prevention department'

      Most of IS guys I worked with find it easier to prevent work going ahead as it generally avoids introducing perceived risk

      They're not doing their job then. Their job is to ASSIST the business in ensuring that what they do is done in the safest way possible, which involves a good degree of pragmatism. I've worked in enough companies that recognise risk as something that must be addressed at the very inception of a service, and thus never have an issue later on. They set clear guidelines and ensure someone of the security team gets involved in the early concept discussions which will considerably smoothen the path to Ready For Service approval. If you get the strategy right, the tactical component tends to slot in almost by itself.

      That said, those outfits were smart enough to consider risk a business pervasive issue, not "just an IT problem" so risk assessments also fed into business continuity strategies, and there are now ways to integrate privacy management into that same framework (which is far more efficient than having a separate team and workstream as assessment and assurance processes don't differ that much).

      This is not to say that I haven't come across some Kaiser wannabees, but they tend to scurry back into the dark holes they came from when confronted by experience, authority and a hint of the evil skills which lurk under the surface to do the job right :).

  2. Dan 55 Silver badge

    Stick this in your magic quadrant

    MS got rid of their Trustworthy Computing team and look how well it turned out for them.

    If you split up security into different teams, they can't address security as a whole. Everybody's just concerned with their own little patch. And the small security teams are probably easier to override.

    So yes, it is an entirely dumb idea.

    1. Ken Hagan Gold badge

      Re: Stick this in your magic quadrant

      Agreed, and if you substitute "quality" for "security" then you have another example.

    2. Anonymous Coward
      Anonymous Coward

      Re: Stick this in your magic quadrant

      The worst part of the Fail when they dissolved(devolved?) the Trustworthy Computing team was when they dissolved it's central authority. At least in the article they still stress the need for a central team even when you are pushing the security role deeper into the teams.

      That said, the Doltz Method probably won't work out well for most organizations that follow Gartner's guidance. The reason is also intrinsically linked to why MS shot itself in the foot by ending Trustworth Computing. When the TC team had autonomy and authority, it could at least get things done. It's managers could protect it's employees up to a point which allowed them to tackle issues that made them up unpopular in the short term, but were (Badly) needed for the long term future of M$.

      When they broke up the team, the security people became potentially unwelcome outsiders at worst, but at best still the new guy and still an outsider. They reported to the same boss as everyone else on the team. They were but one voice among many others on the teams, beholden to the same short term conflicts of interest(like not making their boss look bad) that the rest of the rank and file. So, stuck in the back seat, security and quality once again fell.

      What the article does not tell you is that you can embed security and QC people into your development teams, but they still benefit from reporting to a separate chain of command with enough autonomy of action they can be effective. This shouldn't be an adversarial relationship, but part of the job of the security personnel is to accurately report to the central security team what's actually happening regardless of how good or bad it makes the team/project manger look.

      A big part of QC and security is risk management, and it's not easy to do well when your reporting directly to the risk your managing.

  3. Gordon Pryra

    Scholtz

    Head of the The National Outsourcing Association........

    actually hes not but I thought it sounded like he may well be : )

  4. Solarflare

    Scholtz's thought process here appears to be on the lines of "well, companies with a lot of risk have big security teams, right? So if you make your security team reeeeeally small, you basically have no risk! Easy peasy."

    Personally I think having "a guy" in each function who drives security might work, but there would have to be something central looking to govern the entire thing as well or there would be no coordination and you would end up with huge "not my job that one guv'nor!" holes throughout the estate...

    1. Doctor Syntax Silver badge

      "not my job that one guv'nor!"

      Also expressed as "when it's everybody's job it's nobody's job".

  5. Pete 2 Silver badge

    Stovepipes!

    The problem with relegating "security" to various other teams within IT operations (though really, security holes are primarily a software design - and possibly implementation - problem) is that each team will simply try to push a problem onto another team.

    I have worked in many organisations that have assigned specific and rigid roles to their various teams, they all spend significant amounts of time and effort trying to convince all and sundry in management that a particular problem is not their responsibility: either to take the blame for, or to resolve. I can see security issues being just another political football that gets kicked around for days, weeks, months, while the hackers hack away, merrily.

    It seems to me that this is the biggest failing of all the many business accreditation and "quality" initiatives that companies get suckered into. They all attempt to set out who is responsible for what, but cannot deal with issues that are multi-disciplinary in their nature, unforeseen, urgent and exceptional. By using this sort of approach, each team merely has a narrow view of the corporate "sky", through their particular "pipe" and fails to see the big picture: to do business and make money in an efficient, legal, safe and secure organisation.

    So sure, devolve responsibility for "security" amongst the IT teams. But at the same time ensure there is someone very high up who then has absolute power to cut through org-charts and charters, to tell anyone in any of those teams to stop what they are doing and FIX THAT SECURITY PROBLEM. NOW!

    1. Hans Neeson-Bumpsadese Silver badge

      Re: Stovepipes!

      security holes are primarily a software design - and possibly implementation - problem

      Yes to the software design thing, but not *possibly* an implementation problem, *definitely* an implementation problem.

      Consider security holes like unchecked buffer overruns. That, to my mind, is an implementation fault. A designer would not normally be specifying how code should behave down to that sort of level of detail. There is an expectation that the developer writing the code will adhere to good practice. Such good practice should be documented (yes, that's a design issue) but can often be overlooked in the interests of meeting a deadline (or just plain sloppyness on the part of the coder). In those cases, the security hole has been introduced at an implementation level, not at design level

    2. Sir Runcible Spoon

      Re: Stovepipes!

      "They all attempt to set out who is responsible for what"

      If people spent more time addressing the issues of the day than working out who to blame *when* it all goes wrong then there wouldn't be as much going wrong in the first place.

    3. Anonymous Coward
      Anonymous Coward

      Re: Stovepipes!

      Yeah, I've lived the Hell of the Warring Silos myself. Companies split things into Programming, QC, Tech Support, and Security, and everyone stands around pointing fingers at every problem and missed deadline.

      We finally got past some of it by splitting the teams and projects apart from the divisions. Each project got assigned people from R&D, Programming, QC, etc. Each project team was responsible for getting things done, and the division heads could escalate things if qc/security/support found problems. Not that any of that was very revolutionary. It also helped the company move on from horrible 1970's project management practices. More got done, people started making deadlines instead of missing them, and the performance and quality of the project improved by leaps and bounds. At least for a while.. and the next re-org that undid everything that was working.

      These things really should be part of standard business practice to the point that your auditors/VCs/shareholders are calling out the structural problems. Otherwise you get the Corporate version of the fad diet of the week, with empty promises of unrealistic short term gains, leading to wasted money and disappointment.

  6. jake Silver badge

    Why not?

    DevOps has almost convinced management to dispense with quality control. Why not get rid of security as well? What could possibly go wrong?

    Next on the block? I'm guessing employee benefits are detrimental to the bottom line ... Should be a good couple of dozen C* six month sabbaticals in there first, without alerting the shareholders.

    1. Lysenko

      Re: DevOps has almost convinced management...

      Exactly. That's precisely what this is - DevOps disease jumping species boundaries. The Adobe Flash "continuous delivery" (of CVEs) model is clearly an inspiration.

      I'm convinced half the product managers out there started off as CorelDRAW devs back in the '90s (poster child for "ship to marketing schedule, not to quality standard" and "beta test in production" back in the day).

      1. Anonymous Coward
        Anonymous Coward

        Re: DevOps has almost convinced management...

        And the CorelOffice suite, too.

        No, I've never had to download a GIANT patch for software that was delivered on a CD-ROM every other week and track problems that my userbase experienced by who had which build... (and this was back in the late 90's, so internet access was still A Thing That Was Not Cheap or Fast.)

        Come to think of it, I had to fight the same battle with Office 2010 here- seems one team decided to blame problems with the clients on the server team, even after the server team pointed out a year ago that it was the fact that they had deployed the RTM build instead of the recommended SP2 build...

        Anon for obvious reasons.

    2. Ken Hagan Gold badge

      Re: Why not?

      Each team has its own management as well, so we can dispense with all the higher level managers, and certainly all the external consultants.

      That should save a bit of cash.

  7. Valeyard

    partial

    I think it's a good idea partially; have each team take responsibility for security in their own area from the ground up (ie talking about security during design sessions, coding defensively) and then the security team can be lessened and won't have to push back on things, they can also act as overall co-ordinators, policy-setters and educators, as well as ensuring that although two components may be secure in their own right that they don't introduce a vulnerability when used together

    if you have one team doing it all at the end of the process of course they're going to have to say "no" a lot and push back on things because they're there after the mistakes have been made and we all know prevention is better (and cheaper) than cure, the solution is to have security at every stage, and that includes where they currently traditionally sit

  8. 0laf

    Really if you're a half decent IS guy you should be well aware that to impede the business means the business will go around you or through you. Remember this mantra and repeat frequently "Security is an enabler, security is an enabler".

    You have to fight your nature to become Mordac - Preventer of Information Services

    But less facetiously don't just point at problems then fuck off back to your hole. If you see a problem with something you have to present a way to get out of it as well.

    The big "STOP" sign should only come out in emergencies and even then only to raise the risk with the risk owner. A lot of IS guys take the risks personally, and they need to remember that it's not theirs.

    If the board thinks it's ok to shift all personnel records to a Russian File share after you've pointed out the problems then let them. Just cover your arse.

    That's the great thing about working in IS, with great power comes no responsibility.

  9. tfewster
    Facepalm

    Interesting hypothesis

    After all, security is everyones problem. But we're not all trained or available to tackle armed robbers, so we have a specialised group of "police" for that.

    InfoSec get the ear of the board, and hence funding, in a way that IT don't. Remarkable for a group of blockers playing on peoples fears - telling CxOs that that could lose their jobs or go to prison if things go wrong.

    InfoSec must then use that power responsibly - to enable the IT team to make improvements. E.g. login management/SSO tools, which have security and productivity benefits. Patching policies and tools, which have security and productivity benefits. Malware blocking, which....You get the idea. Community policing as well as SWAT teams.

    1. Tom Paine

      Re: Interesting hypothesis

      InfoSec get the ear of the board, and hence funding, in a way that IT don't.

      * gasps for breath, wipes away tears of mirth

      I'm sorry, you were saying?

  10. 0laf

    And 'Security Team', many lols. Only the very largest organisations have a security 'team'. Most of us are lone voices in big organisations and when we're not firefighting we're trying to sweet talk the rest of the business into acting responsibly which isn't easy when the board only gives IS lip service unless it's the shiny thing of the week.

  11. Anonymous Coward
    Anonymous Coward

    Got to Gartner...

    ...then got a fit of the giggles and had to stop reading.

    1. Roland6 Silver badge

      Re: Got to Gartner...

      I didn't giggle, but was a bit bemused, a major Gartner client did this circa 15 years back. Hence either Gartner have only just uncovered the memo or they've gone full cycle...

    2. Robert Moore
      Devil

      Re: Got to Gartner...

      Have they ever been right? I can't remember any examples.

  12. Anonymous Coward
    Anonymous Coward

    Security teams

    Security teams exist centrally because the people who should be doing this stuff fail to do so.

    An *enterprise* security team's main role is quality control on the others. Ninety percent of the job is QA, the other 10% is ninja security magik.

    The security team will hardly ever touch other people's kit, but simply ask them to do their job properly. This reminder role is endless in a big org. You will never be able to sit back and say "well we are fully secure because everyone is remembering what we told them to do".

    So with this in mind, getting off of the backs of the rest of the IT people is probably the worst thing that you could ever do.

    Obviously results may vary, particularly if your "enterprise" is actually 3 techies and a dog called Colin.

    1. Solarflare

      Re: Security teams

      In all fairness, Colin is the most reliable - he does as he is told and tends to crap o nthe rug less than the techies.

  13. Snorlax Silver badge

    Hmm yeah sure...

    "He also says plenty of businesses see centralised security as roadblocks. “I met one chief security officer who said his team is known as the 'business prevention department',”

    I'll take "Things that never happened" for $800, Alex.

    I guess all the press about increased jobs and spending on security is bollocks.

    Fail to secure your networks properly and you'll know all about "business prevention" when the next WannaCry or Netya hits...

  14. Milton

    And then there's the staggering lack of competence

    As others have pointed out, a dedicated security team rapidly becomes a major obstacle to getting anything done. It's much easier to say 'no' than to make your job hostage to some failure, however minor and inconsequential, that can later be used against you.

    And that problem is multiplied ten-fold when your security team is poorly managed and staffed by people who don't actually understand the subject very well. If IT in the Anglophone world has a chronic problem with cowboys, then—barring web development, which seems to be infested with incompetents—security is like the seventh circle of hell. There is something about it that attracts a certain kind of personality: very often those political types who love the sound of their own voices, enjoy a few scraps of power, and still labour under the delusion that some hideous Powerpoint slides with naff toons nicked from the web is in some way equivalent to providing management, leadership or "doing strategy".

    There is no such thing as perfection, and security is never perfect. It's always about trade-offs. This requires calculation and judgement. Don't spend £1m bulletproofing your business against a mythically unlikely attack that would only cost you a few grand even if it occurred. Conversely, don't let bean-counters deny you the £100k you need to ensure that a million customers' travel habits don't get leaked on the net—just because the leak wouldn't cost the business a penny in fines or refunds doesn't mean the reputational damage won't kill you.

    Barring network specialisations—right down to hardware level, because the plumbing is a special case—you should indeed discard the very concept of a security team. Instead, get your management, for once, to do something useful, in understanding the real threats and risks, distinguishing catastrophic scenarios from mere inconveniences, setting priorities, and then making sure that the folks working on the vulnerable-with-consequences systems know that their careers depend upon building security into their work, not as an afterthought but as part of its DNA. (And don't forget to train and resource and appreciate them properly, or it will all be for naught.)

    As ever, it all comes down to good management and leadership by people with brains and long-term vision. Unfortunately, the current cadre of executive management is mostly short-term, greedy, makes a virtue of ignorance of detail and constitutes, in short, a Boris Johnson approach to everything ... so despite what I said, you're doomed.

    1. Tom Paine
      Thumb Down

      Re: And then there's the staggering lack of competence

      As others have pointed out, a dedicated security team rapidly becomes a major obstacle to getting anything done.

      And as others have pointed out above, that's clearly anecdotal evidence based on bad experiences with bad security teams. I imagine you've been unfortunate in your choice of employers. I'm not for a moment suggesting there isn't plenty of crap security ops around, but that is not the only way, oh grasshopper. (Sorry, it just popped out.)

    2. Tom Paine

      Re: And then there's the staggering lack of competence

      don't let bean-counters deny you the £100k you need to ensure that a million customers' travel habits don't get leaked on the net

      You've never actually worked in security, have you? Guess what: we don't control the people who control the money. "Don't let them not give you the money"? What are you going to do, bleed on them?

      1. Anonymous Coward
        Anonymous Coward

        Re: And then there's the staggering lack of competence

        "You've never actually worked in security, have you? Guess what: we don't control the people who control the money. "Don't let them not give you the money"? What are you going to do, bleed on them?"

        Milton can speak for him/herself but I think the point is about balancing budgets based on risk. Not about strong-arming the beanies for a specific amount of money. Assuming you've ever been an influencer or decision maker in IT security spend, on what basis did you make your decision - colour, size, pew-pew map, or requirements linked to business risk?

    3. Anonymous Coward
      Anonymous Coward

      Can't Fix Stupid

      When the is a CSO type is a pointy haired bench warmer, it can doom your entire effort. I felt some of that pain when the "Management Consultant" witchdoktors decided "Risk Management" was the new cool buzzword. They then started recommending non technical managers from outside the technology universe, who then failed to understand the big picture risks and started cutting quality/security because it was a quick way to boost the next quarterly reports.

      They also usually didn't have to clean up the mess they created, and left it for the next guy as they skipped for the next job with some fresh bullet points on their C.V. about boosting efficiency and meeting budgets for four consecutive quarters.

  15. Anonymous Coward
    Anonymous Coward

    deregulation

    Isn't this just another lunatic banging on about how red tape and rules just get in the way of "business"?

    1. Peter2 Silver badge

      Re: deregulation

      No, he's trying to make a point that you should always consider if the way that your doing things is the best way of doing them.

      In this case, he's asking if instead of having one large security group that is responsible for "security" if it'd be more sensible to (for instance) spread the security trained people out into the wider business and make the departmental managers responsible for operating securely, with a smaller security group supervising them and reporting elseware to ensure that operations are done securely and effectively.

      Would this be just as effective? Who knows. But it's right to ask the question.

      1. Doctor Syntax Silver badge

        Re: deregulation

        "Would this be just as effective?"

        Let's see.

        Marketing department decides it's perfectly OK to spam customers irrespective of whether they wanted to be spammed or not. Hands over customer list to "digital marketing company" AKA professional spammer. Together they concoct email which is infested with links except web site managers refuse to host them so the spammer does that as well. Ends up training customers to be phished with customer list in hands of spammer to be re-used for other clients, sold on or both. Do we expect marketing departments to have security functions to make sure this is done properly?

        1. Peter2 Silver badge

          Re: deregulation

          The question is, would having members of the department advising the manager that this is illegal and or sending a memo to his boss if he ignores them be any less effective than the security department screaming YOU DID WHAT! after they find out?

  16. This post has been deleted by its author

  17. Anonymous Coward
    Anonymous Coward

    Sounds daft

    Especially with the National Information Security Directive headed our way.

    But why not sack me and hire me back in a year at twice the salary? Feel free!

  18. Anonymous Coward
    Anonymous Coward

    Guess that's a few infosec teams gone then

    Given the fact many CIOs and CTOs can't make their own decisions and hang on every word coming out of Gartner. I expect swingeing cuts in many infosec teams across the globe.

    The scammers must be rolling on the floor in joy.

    1. Snorlax Silver badge
      WTF?

      Re: Guess that's a few infosec teams gone then

      @Anonymous Coward:" I expect swingeing cuts in many infosec teams across the globe."

      That's your informed opinion, is it?

      Worldwide infosec spending to reach $93bn in 2018

      Aussie InfoSec spending to top $2.8 billion this year

      The Fast-Growing Job With A Huge Skills Gap: Cyber Security:

      "The ISACA, a non-profit information security advocacy group, predicts there will be a global shortage of two million cyber security professionals by 2019. Every year in the U.S., 40,000 jobs for information security analysts go unfilled, and employers are struggling to fill 200,000 other cyber-security related roles, according to cyber security data tool CyberSeek. And for every ten cyber security job ads that appear on careers site Indeed, only seven people even click on one of the ads, let alone apply."

  19. GnuTzu

    "You Have To Let Them Think It's Their Idea"

    On the topic of making proposals, I heard a junior VP say "you have to let them think it's their idea".

    I used to have to play the road block, but life as an infosec professional got a lot easier when I was permitted to act as one who assists others at being more secure. If you want to get rid of the security team, you'll have to hire sys admins that actually know security. It's better to change the role of the security team, and make them a resource that enhances the IT teams. Don't hire infosec people that only know infosec; hire infosec people that have worked as IT people. Life will be a lot easier and more efficient.

    But, do I get to pass this up the chain? No. These experts with blinders on get the accolades. Bitter? Not really. I've been working from this perspective long enough to have a job where it's appreciated. It really does make life good. Oh, I still have to play the road block from time to time; but only for the really stupid stuff.

  20. Tom Paine
    FAIL

    Gartner, Schmartner

    Using a couple of anecdotes about poorly organised and/or functioning security teams barely even qualifies as a logical fallacy, it's so obviously nonsense. Cars sometimes crash, injuring or killing people. Therefore cars must be banned. I wonder if Marketing deliberately saves up nonsense like this all year ready to drop it in the silly season, or perhaps it goes on all the time unnoticed except when things are quiet...

  21. Amos1

    Sounds like another management idea - "They are all just IT guys, right?"

    For starters, they are two entirely different disciplines. If IT could have handled information protection tasks, they already would have. But now we have the mess the world has.

    IT Security has three balanced priorities: Confidentiality, Integrity of data, and Availability.

    IT and developers and CIO's also have three priorities: Availability, Availability and Availability.

    For this to work, the bonus-level managers have to have information protection made a part of their priorities. Give them a 10% "bonus haircut" if their groups have a higher failure rate than 1% on Phishing tests and you will see how fast that problem goes away. It has not gone away yet because managers have not been personally incentivized to consider anything except Availability.

    1. Doctor Syntax Silver badge

      Re: Sounds like another management idea - "They are all just IT guys, right?"

      "IT Security has three balanced priorities: Confidentiality, Integrity of data, and Availability.

      IT and developers and CIO's also have three priorities: Availability, Availability and Availability."

      Presumably you've never been a DBA. If you had you should have been aware that integrity of data was your first priority.

      You're spot-on about bonus level managers, however.

      1. Amos1

        Re: Sounds like another management idea - "They are all just IT guys, right?"

        DBA's have their own priorities: Integrity of data, Performance a.k.a Availability and access to data a.k.a. Availability.

        That being said, two of our three DBA's have it right. The third one has Performance for all three.

    2. J. Cook Silver badge
      Pirate

      Re: Sounds like another management idea - "They are all just IT guys, right?"

      More or less spot on.

      System Admins (Storage, server, mail, etc.) have "Data Integrity, Availability, Confidentiality" as their three. At least the good ones do. (At least I *hope* I'm a good one!)

      Then again, I wear a lot of hats in my current position. Not surprisingly, someone snuck 'infosec' onto my hat rack while I wasn't looking.

  22. Chris Miller

    It's never (well, hardly ever) the job of Security (or IT in general, for that matter) to say "No". It is their job to point out the costs and risks associated with a particular course of action. Given that there's no such thing as absolute security, security is always about managing risk. The appetite for risk varies greatly between different (and different types of) organisations, which is why 'one size fits all' security solutions are few and far between.

    1. Doctor Syntax Silver badge

      I don't like the term "appetite for risk", it's just an encouragement for cowboys. "Tolerance of risk" seems a better starting point.

      1. Naselus

        Yeah, a 'risk appetite' is more applicable in finance, where higher risk is directly proportionate to higher rewards; in IT risk has less of an upside.

        1. Chris Miller

          Whether you call it "appetite for risk" or "tolerance of risk" is not a big deal. But the point is that this isn't (shouldn't be) a purely IT decision, because security is not purely an IT issue. Businesses exist in order to take (and share) risk - but how much risk they're prepared to take is a question that is ultimately for the owner(s) of the business to decide.

  23. Anonymous Coward
    Anonymous Coward

    Management Problem

    This is a management problem, not a staff problem. All it takes is bad planning and clueless management, to badly plan teams, responsibilities, and tasks to insure that things don't get done properly. Staff members just do their jobs according to Management policies and procedures. If those policies are ineffective and the procedures aren't productive and successful, that's the fault of bad management. But instead of firing the managers who are doing a terrible job of management, let's fire staff and either eliminate their jobs or replace them, to cover up bad management not doing THEIR jobs?

  24. Aodhhan

    Tom Scholtz is just trying to profit

    This guy has been around for at least 5 years doing this and saying whatever he needs to in order to build a following; or should I say a congregation of the ignorant.

    Another person taking advantage of presenting "cost cutting" seminars and webinars for profit.

    In my view he's no different than a crooked TV evangelist or a phishing author.

    5 years ago he was speaking about the need of InfoSec and putting the people at the center of security. Because at the time, this was the popular sermon to preach. Now, it's businesses looking for ways to save money so he's preaching a different verse. Just go back through the last 5-6 years of his messages and you'll see what I mean.

    Where Tom fails on with this latest story is leaving out the victims... both organizational and customers.

    What should be properly preached is how InfoSec is helpful and good for business; stop looking at security as a cost saver or some preventative measure like a simple padlock.

    Implementing security properly into the SDLC along with proper risk management is good business and a HELPFUL means of deploying technology. Not a restrictive means of deploying risk management. Look at security as a marketing and investment tool... not a barrier to customers.

    Tom, try filling your pockets by teaching these aspects of InfoSec and you just might garner respect from the InfoSec community as well as business. It's Tom who is being a barrier to InfoSec, customers and organizations. All to fill a bank account.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like