SJS wrote: > begin quoting Todd Walton as of Sun, Jun 15, 2008 at 09:21:15AM -0500: >> On Sun, Jun 15, 2008 at 4:33 AM, James G. Sack wrote that Bruce Schneier >> wrote: >>> ..solution is not to sell security directly, but to include it as part >>> of a more general product or service. Your car comes with safety and >>> security features built in; they're not sold separately. Same with your >>> house. And it should be the same with computers and networks. Vendors >>> need to build security into the products and services that customers >>> actually want. CIOs should include security as an integral part of >>> everything they budget for. Security shouldn't be a separate policy for >>> employees to follow but part of overall IT policy. >> But that only works so far as security can be canned up and put into a >> product. There's an element of security that requires someone to stop >> and think about it. > > Oh, that's what process is for. We'll hire a bunch of junior folks, and > we'll hand them five three-inch binders, and they'll come up with a > solution, all according to the certified process. >
<heh> But perhaps considering the organization as the product would help cover Todd's point. I tend to read (eg, presume, for my convenience) a lot between the lines, but I think that may be what Schneier meant in talking about the CIO "including security as an integral part of everything they budget for" -- along with (say) accounting. Speaking of accounting, perhaps eventually the concept of security accountability will apply as matter-of-factly as financial accountability (or quality accountability). Regards, ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
