In my first post I discussed the fact that public breaches are trending to all time high levels.
Combine this with continued financial pressures to cut costs, expanding technology risk drivers such as cloud computing and the ‘consumerization' of IT, and you have the perfect storm for an unmanageable attack surface given the current investment styles of most companies.
The approach of most firms seems to be to respond to what drives management’s attention this month, or what a board member read in the WSJ last week, instead of what really presents a serious risk to the company. The immutable truth is that business units have different threats; the customer team has different risks than the operations group, which has different risks than the IT organization.
While they all may be linked, when it comes to prioritization, risk/investment trade off, and funding decisions, it is a subtle but important difference. The effort of identifying the 3 or 4 big rocks in each division and prioritizing those can bring considerable clarity; it’s a bottoms up approach but often will aid in pushing the reset button.