Many business units are being drawn into using cloud services by the attractive economics, bypassing IT departments to host their applications and data in the cloud directly. This creates several problems for the IT organizations with reduced internal and external control.
- From RSA Whitepaper “The Role of Security in Trustworthy Cloud Computing”.
Even they are not directly for Cloud services, but there were cases that BUs signed contracts with 3rd providers to host their applications directly, bypassing IT department. Obviously, it’s not good practice from governance perspective. It might be a head-up for CIOs at Cloud time.
If security experts do not fully understand the business, organizational roles, and people in general, they will not make the security sale. Security experts must be educators, which means they must understand human beings outside of their world, because all parties influenced and affected by security (and that’s everybody) need to understand, in a balanced fashion and in terms they understand, what security means to them.
- “Mission-Critical Security Planner”, by Eric Greenberg
In a service economy, knowledge is a critical asset, and Google has more knowledge than anyone in history. In our opinion, anyone who is not taking advantage of Google’s offerings soon will be fighting an inherent disability.
- What Does Google Know? Gartner
Quality in a product or service is not what the supplier puts in. It is what the customer gets out and is willing to pay for.
- Peter Drucker, American management guru.
Establishing Data Ownership is a fundamental component or building block of any Information Security Management System (ISMS). The Data Owner is the single person ultimately responsible for their data. They define policy, control who has access and may delegate some or all of their responsibility to Data Stewards. The Data Custodians (typically IT) are the instrument of the Data Owner’s policies, enforce and manage policy compliance and help manage access rights and other IT controls according to the Data Owner’s requirements.
- From one security assessment report
‘‘Never do today what you can put off till tomorrow if tomorrow might improve the odds.’’ – Robert Heinlein
This is very interesting point particularly for security patching. Enjoy it.
And just as technology has been replaced by users as the driving force behind web sites, the computer is no longer the ultimate target of the malware – it is the user that is the target. Today, malware is almost single-purposed: to gain access to the user’s private, financial, and confidential information. To gain that access, malware authors exploit the very thing that makes Web 2.0 so successful – the user’s trust.
- Web 2.0: The New Face of the Web, Google
EA can survive hard times, even thrive. But first we must make some major changes in how we view EA. No more poorly defined payoffs that are years in the future. The payoffs must be immediate. They must be real. And they must be compelling.
By Roger Sessions
Note: EA here means Enterprise Architecture
Security itself isn’t cheap. Adi Shamir says that security and cost are inversely proportional: to halve your vulnerability,
you have to double your expenditure.
“You don’t know who is swimming naked until the tide goes out.” In our world, we don’t know whose systems are running naked, with no controls, until they are attacked.
Know where your data is, who has access to what, read your logs, guard your perimeter, minimize complexity, reduce access to “need only” and segment your networks.
The problem is that security’s effectiveness can be extremely hard to measure. Most of the time, we hear about security only when it fails.
- Bruce Schneier, <<Beyond fear thinking sensibly about security>>
There is no security on this earth, only opportunity
- Douglas MacArthur (1880-1964)
Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative. If we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed.
- Bill Gates