The "RISKY BUSINESS" Blog

We are fortunate enough to work extensively with across both government and private sector clients. The two biggest differences we notice are that government entities are much more risk-intolerant and that most government entities employ some form of Security Certification & Accreditation (SC&A) process.

Figuring out why most government entities run SC&A is pretty straight forward. Being risk intolerant, means that you are going to spend whatever dollars are necessary to mitigate the biggest risks. Large projects (e.g., moving your core accounting application off the main-frame to a 3 tier J2EE architecture) that embody significant change embody significant risk, hence, lets ensure that the application is secure before we deploy it (SC&A). Another driver, is the federal government advocating (or mandating) SC&A (e.g., NIST 800-37) for federal entities, which has trickled down to many states and larger cities.

What is not as clear to me is why private sector companies don't have formal SC&A processes. Any information security professional worth their weight in salt knows that change = risk. So why are so many systems deployed without sufficient testing? I wish this was where I came up with a clever answer, but I have none. I'm hopeful that advances like SAMM will change the situation.