The Downward Spiral of IT Security

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

This is in response to @Wh1t3Rabbit's blog post Impending Doom and IT Security's Downward Spiral. I think he's on the right track but I have to take exception to one statement.

I think we need to train our IT Security people twice. First train them to be a business analyst and understand the corporate mindset, strategy and delivery model and only then can we train them to be good security people. Learning technology is easy ...applying it to the business is hard.

The problem is your are removing the responsibility for risk mitigation from the business owner and placing it on the IT security professional. IT security is just another business risk, the same as theft, fraud, physical disasters, poor marketing decisions and poor customer service. It is the responsibility of the business owner to protect the assets of the business and to ensure the business keeps running. While a competent IT security professional who understands the business is extremely valuable in helping the business owner understand the business risk associated with IT security and in developing a risk mitigation strategy, it is still the business owners responsibility to secure their data.

Until the business owners become educated on the IT security risks to their business and start developing strategies to mitigate those risks IT security professionals don't have a snowball's chance in hades of lifting us out of the spiral.