<cynical grin> Would that that would really help. I guess maybe in the long run it might, but I'm not holding my breath. There's still the small matter of connecting cause with effect and then implementing a program that will function appropriately at all levels of the
Just did a presentation to a bunch of AeA CFO's (AeA is American Electronics Association) where the fist slide I gave them a piece of paper that has to go with their 10K reports and said:
Ok, as the CFO of a public company, would you sign this: (a bunch of legal gook I got from our SEC lawyer).
Went through a high(board level) presentation with lots of pretty color
pictures, talked about jail time and fines and informed them that the
CFO is the one who will sign it.. then when done, said 'ok, NOW who will sign this. You KNOW for a FACT
that your IT department has taken care of this, right? you don't need an
outside/third party audit to make sure the IT or internal security guys
did their job, right?
NO ONE. wanted to sign it then.
Heh. That's great. Wish I could have been there to see that. Sounds like you really got their attention. But this brings me back to the original concern: It's one thing to realize that you have a problem. It's something else to fix it. And my experience has been that the people who have the problem don't have a clue how to fix it. Clueful organizations have a strong Information Security/Assurance *program* in place. CFOs of those organizations *will* sign the document because there *is* a formal risk management process in place which includes some kind of certification and accrediation process. They are *very* likely to be the approving authority on some of the systems. They are also part of the governance process. If there is no Information Security / Assurance *program*, there is a huge problem. This is the one I continue encounter: When an external audit/assessment shows many deficiencies, the response of the clueless organization is to; a) (try to) patch the holes, and b) maybe offer up a sacrificial lamb. However, the _root_cause_ of the existence of the problems in the first place is the absence of a real program. In the absence of a program, even if the holes are patched, within a year they will return or be replaced by others. So the *real* solution to the problem is to patch the holes *and* the organization . . . by implementing an effective program. One would hope that, having had their attention focused on the existence of symptoms, the CFOs will conclude that their organization is sick. Some will. Some won't. Of those that will, how many will know what "the cure" is, or how to go about getting it? *This* has been my frustration: having enough time with the right people to educate them on what the options are and what the solution is . . .
Cheers,
George Capehart -- George W. Capehart
"We did a risk management review. We concluded that there was no risk of any management." -- Dilbert
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
