1999-05-27-23:47:24 Paul D. Robertson:
> When the security administrator hat is on, the job is providing the most
> security possible within the scope of the business requirements. Bringing in
> revenue is a different hat and they shouldn't be confused.
An interesting fundamental realization in Wall St. type financial
institutions, that has emerged over the last couple of decades, is that what
they do is little more than sell the service of providing a marketplace (i.e.
suck up them commissions) and repackage and resell a commodity called "risk".
That latter area is where the real money is, and has led to a modern trading
firm organization where marketing and traders nominally "make money for the
firm" but the risk management department holds their reins and keeps the
company from tripping and falling over.
Turns out that if you can get that risk management department to take
ownership of the computer security policy, all kinds of problems just
disappear. Risk management is the field of professional expertise that leads
to good security policies.
That's as far as I've gotten. I really enjoyed the one work experience where
a senior risk manager owned the security policy, and have been trying to
recapture that wonderful setup ever since. It's tough. Perchance could anyone
out there recommend a good text or three on risk analysis and management?
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
