« The Road to the Security Cliff is Paved with Optionality | Main | Incentives and Decision Making »

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451c75869e2017d3faed899970c

Listed below are links to weblogs that reference Does Your Company Actually Need a Security Department?:

Comments

Ben Tomhave

I've been arguing for nearly 4 years that a security department is unnecessary these days. I disagree with you on the "CYA instead of CIA" quip, though. I think it comes down to organization and optimization. The business should be managing operational risk, and operations should own those remediation and management duties. A separate security department tends to decrease an organization's effectiveness.

One of my first posts on the topic was here in July 2009:
http://www.secureconsulting.net/2009/07/do-you-need-a-security-departm.html

More recently:
http://www.secureconsulting.net/2012/06/its-time-to-retire-security-fr.html

fwiw

-ben

gunnar

@Ben - Agree and I would go one step further: do you need IT at all? You could say this is what the Cloud is about. But really, we had IT back when few knew how to operate a computer. Not the case today. In my view you are either

a) developing a product
b) operating a product
c) working in customer service

There's no reason to separate "business" from "IT" its just business.

http://1raindrop.typepad.com/1_raindrop/2011/01/the-business-of-it.html

The comments to this entry are closed.