Have noted a gradual and interesting change over the last few years. Our security assessment “read-out” meetings where we discuss our findings in detail with the client have gradually become more strategic in nature. We still spend quite a bit of time talking about the more tactical elements of risk mitigation (e.g., what configuration changes need to be made, what patches need to be deployed, what coding changes need to happen) however, we are now spending more time discussing the root cause of the issues and what upstream changes are necessary to reduce the likelihood that the identified problems re-appear.
Even more interesting to me is that we are having conversations even further up the tactical/strategic continuum at initial meetings with our clients. The momentum around ISO-27001 is remarkable. There is a much smaller, but still notable buzz around OWASP as well. Clearly, information insecurity is evolving.
Personally, I’m excited by the change. To me it represents a very significant inflection point – one where we stop looking for technical “silver bullets” to our pain points and we begin apply a more structured methodical system to being secure and proving we are compliant. Leveraging the most open and trusted standards possible – especially those that are well vetted and widely recognized is common sense.
There are many implications to this shift up the continuum, I’m optimistic that the most notable will be that the process will become simpler resulting in a significant improvement in security postures.
A Best-Practices Guide to Information Security Attestation
Risky Business Blog
Simplified Blog
Techno Blog
In The News
RSS Feed
Random Article
About the Author:
John W. Verry, CISA/27001 Lead Auditor/CCSE/CRISC - "Security Sherpa" - Information Security Auditor