Is “it is your decision not ours” statement and philosophy a cop-out within the Information Security sphere?
This is a common refrain and frustration I hear across the world of information security and information technology. Is this true? Is it the result of personality types that are attracted to these roles? Is it operational and reporting structure?
In Audit it is required for independence and given visibility. Does not the business (the CIO) and the subject expertise (CISO) not have that visibility possess a requirement of due care to MAKE it work?
The perfect analogy is the legal department – they NEVER give in and walk away with a mumble, they present their case until all the facts are known and a mutual understanding is reached. Balance happens but it happens with understanding.
This point is so important to me, that it warranted a specific sharing of the thought. I hope we can reframe our approach, and to follow a presentation off TED – focus on the WHY. (need to find link…sorry) These individuals in these roles provide the backbone and customer facing layer of EVERY business.
Thoughts and realizations made from stumbling around our community and today during RSA resulting from the presentations with underlying tones.