Here is a dangerous question to start the new year: Does your company actually need a security department? If you are doing CYA instead of CIA, the answer is probably no. Dark Reading
Recent Posts
- Asleep at the Wheel
- Security > 140 Conversation with Gerry Gebel on XACML and ABAC
- James Lewis on Myths
- Better Metrics
- Perils of Top Down Thinking
- Enterprise API Management for Mobile Part 2 - Don't Trust. And Verify
- Limitations of Statistics on Measuring Risk
- A Cloud Risk That Is Different In Kind
- Berkshire Hathaway Annual Meeting 2013 Notes
- Quantifying Risk Tolerance
Blogroll
- Adding Simplicity - An Engineering Mantra
- Adventures of an Eternal Optimist
- Andy Steingruebl
- Andy Thurai
- Anton Chuvakin
- Arnon Rotem-Gal-Oz's Cirrus Minor
- Beyond the Beyond
- cat slave diary
- Ceci n'est pas un Bob
- cgisecurity
- ConnectID
- Cryptosmith
- Diggings
- Emergent Chaos: Musings from Adam Shostack on security, privacy, and economics
- Enterprise Integration Patterns: Gregor's Ramblings
- Financial Cryptography
- Global Guerrillas
- infosec daily: blogs
- James Kobielus
- James McGovern
- John Hagel
- Justice League [Cigital]
- Kim Cameron's Identity Weblog
- Krypted - Charles Edge's Notes from the Field
- Light Blue Touchpaper
- MAKE: Blog
- Mark O'Neill
- O'Reilly Radar
- Off by On
- ongoing
- Patrick Harding
- Perilocity
- Pushing String
- Rational Survivability
- rdist: setuid just for you
- Rich Salz
- RiskAnalys.is
- Ross Mayfield's Weblog
- Rudy Rucker
- Software For All Seasons
- Spire Security Viewpoint
- TaoSecurity
- The New School of Information Security
- Thomas P.M. Barnett :: Weblog
- Windley's Technometria
- WorldChanging: Tools, Models and Ideas for Building a Bright Green Future
- zenpundit
« The Road to the Security Cliff is Paved with Optionality | Main | Incentives and Decision Making »
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451c75869e2017d3faed899970c
Listed below are links to weblogs that reference Does Your Company Actually Need a Security Department?:
Comments
The comments to this entry are closed.
SOS: Service Oriented Security
- Directions in Incident Detection and Response
- Security > 140
- Open Group Security Architecture
- Reference Monitor for the Internet of Things
- Cloud Security: The Identity Factor
- Don't Trust. And Verify.
- Monitoring Up the Stack
- Security Gateway Buyer's Guide
- How to Do Application Logging Right
- 10 Quick, Dirty, & Cheap Things You Can Do to Improve Enterprise Security
- Thinking Person's Guide to the Cloud, Part 1
- Software Assumptions Lead to Preventable Errors
- Logging in the Age of Web Services
- Service-Oriented Security Indications for Use
- The Economics of Finding and Fixing Vulnerabilities in Distributed Systems
I've been arguing for nearly 4 years that a security department is unnecessary these days. I disagree with you on the "CYA instead of CIA" quip, though. I think it comes down to organization and optimization. The business should be managing operational risk, and operations should own those remediation and management duties. A separate security department tends to decrease an organization's effectiveness.
One of my first posts on the topic was here in July 2009:
http://www.secureconsulting.net/2009/07/do-you-need-a-security-departm.html
More recently:
http://www.secureconsulting.net/2012/06/its-time-to-retire-security-fr.html
fwiw
-ben
Posted by: Ben Tomhave | January 09, 2013 at 01:01 PM
@Ben - Agree and I would go one step further: do you need IT at all? You could say this is what the Cloud is about. But really, we had IT back when few knew how to operate a computer. Not the case today. In my view you are either
a) developing a product
b) operating a product
c) working in customer service
There's no reason to separate "business" from "IT" its just business.
http://1raindrop.typepad.com/1_raindrop/2011/01/the-business-of-it.html
Posted by: gunnar | January 09, 2013 at 01:12 PM