A Shift In Security & Risk Research

Rob Whiteley src="http://www.forrester.com/role_based/images/author/imported/forresterDotCom/Analyst_Photos/Silhouette/Color/Robert_Whiteley.gif" border="0" style="FLOAT: left; MARGIN: 0px 5px 5px 0px" />

Read more

The new ISO 31000 risk management standard . . . well-written, but not earth-shattering

By now, many of you have read the newly released ISO 31000 Risk management - Principles and guidelines standard. (Others may have seen its release draft or be familiar with its predecessor the AS/NZS 4360 standard.)

It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”

But if we expect the availability of ISO 31000 to have any sort of revolutionary or game-changing impact in the immediate future, we’re getting way ahead of ourselves.

Read more

Categories:

Note To CISOs: Be the Automator, Not The Automated

Rob Whiteley

I’d like to take a small commercial break from your regularly scheduled security & risk programming to bring you the following observation . . .

I was recently in a client session with one of our great infrastructure & operations (I&O) analysts, Glenn “Automation” O’Donnell. His research on IT automation is extremely interesting both tactically (advice for improving IT operations) as well as philosophically (a call to arms for IT professionals to update their skill set — or risk obsolescence).

Anyway, in this session Glenn made a great observation: IT is at a key inflection point in 2009 and it’s never going back. He was distilling the result of three IT macro-level events colliding: 

  • Business Technology (BT) architecture redefining how we define IT services
  • Cloud computing and virtualization redefining how we build IT services
  • Automation and ITIL redefining how we run IT services

But the big takeaway form me was automation. It’s the main ingredient in transforming information technology.

And now as we return to our regularly scheduled security & risk programming I’d like to pose the following question: What is automation doing for information security? My take: Not much.

Sure, we see pockets of automaton in information security. I’ve seen:

Read more