Comments on: Can IT Compromise On Security Without Being Compromised? http://storefrontbacktalk.com/securityfraud/can-it-compromise-on-security-without-being-compromised/ Techniques, Tools and Tirades about Retail Technology and E-Commerce Wed, 08 Feb 2012 16:02:40 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Evan Schuman http://storefrontbacktalk.com/securityfraud/can-it-compromise-on-security-without-being-compromised/comment-page-1/#comment-64050 Evan Schuman Thu, 15 Oct 2009 17:25:21 +0000 http://www.storefrontbacktalk.com/?p=4011#comment-64050 Thanks, but anyone looking to my columns for guidance on moral courage is in a serious world of hurt, as it were. That's sort of like watching Three Stooges shorts in search of spiritual fulfillment. Thanks, but anyone looking to my columns for guidance on moral courage is in a serious world of hurt, as it were. That’s sort of like watching Three Stooges shorts in search of spiritual fulfillment.

]]> By: David W. http://storefrontbacktalk.com/securityfraud/can-it-compromise-on-security-without-being-compromised/comment-page-1/#comment-64047 David W. Thu, 15 Oct 2009 14:02:31 +0000 http://www.storefrontbacktalk.com/?p=4011#comment-64047 I've been in Info Sec for a while (I undertook my first security investigation in 1984). Early in my career, there were a lot of folks in the field who viewed this as a "yes/no profession". Those individuals found their careers limited and their opportunities curtailed. InfoSec HAS TO BE a "here's how" profession. InfoSec decisions are a business risk decision. Few if any risks can be completely eliminated, and expense increases the farther a business proceed along that path. The value a good InfoSec leader brings to his company is the ability to define and prioritize the risks associated with technology decisions, allowing the business to make an informed decision regarding the tradeoffs involved in mitigating vs accepting risk. The answers to those questions are as unique as the individual business. They vary based on dozens of factors including technology, culture, risk tolerance, regulatory environment, and corporate ethics. The InfoSec manager has to be aware of when and where he is in conflict with those constraints, and act accordingly. Discomfort with risk tolerance or culture may require adjusting personal preferences, or changing companies to one that more closely aligns with his preferences philsophically. Conversely, violations of law, ethical misconduct, or violations of professional codes of ethics require significantly greater moral courage and represent infinitely greater personal and professional risk. It will be interesting to watch your guest columnists discuss these situations..... I’ve been in Info Sec for a while (I undertook my first security investigation in 1984). Early in my career, there were a lot of folks in the field who viewed this as a “yes/no profession”. Those individuals found their careers limited and their opportunities curtailed. InfoSec HAS TO BE a “here’s how” profession.

InfoSec decisions are a business risk decision. Few if any risks can be completely eliminated, and expense increases the farther a business proceed along that path. The value a good InfoSec leader brings to his company is the ability to define and prioritize the risks associated with technology decisions, allowing the business to make an informed decision regarding the tradeoffs involved in mitigating vs accepting risk.

The answers to those questions are as unique as the individual business. They vary based on dozens of factors including technology, culture, risk tolerance, regulatory environment, and corporate ethics.

The InfoSec manager has to be aware of when and where he is in conflict with those constraints, and act accordingly. Discomfort with risk tolerance or culture may require adjusting personal preferences, or changing companies to one that more closely aligns with his preferences philsophically.

Conversely, violations of law, ethical misconduct, or violations of professional codes of ethics require significantly greater moral courage and represent infinitely greater personal and professional risk. It will be interesting to watch your guest columnists discuss these situations…..

]]>