Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: George Capehart <capegeo () opengroup org>
Date: Thu, 10 Apr 2003 19:20:23 -0400
On Thursday 10 April 2003 05:19 pm, Joseph S D Yao wrote:
<snip>
Well, yes. Aren't all things, in the end? We are all of us accountable for governing our own actions. This is such a horrifying notion to many that they duck and run for cover. Corporate identities, having no souls, must be governed and held accountable by a BoD. Which may also have no souls. How does one get the attention of a BoD? Two ways. The smell of money, and the smell of litigation. The carrot and the stick. In the BoD of too many of today's companies, as Marcus has alluded to, the Ds don't care about the company, the product, or the worker. They care about the revered "bottom line". And this doesn't even refer to the actual worth of the company, its products, or its revenues - nobody looks at that, nowadays. When they report the "worth" of a company, it's the price of a share of stock times the number of shares. A truly fake number! But it directly impacts the "bottom line" about which the directors are concerned - how much THEIR shares are worth, and those of the share holders who are only concerned about how much THEIR shares are worth.
Ahhhhh. *Now* we're getting to the root cause (or "of all evil" . . . sorry 'bout that. Couldn't resist . . . :-> ) In the end, it is all an exercise in risk management . . . in every sense of the phrase. And the problem is, "M"anagement is not managing all its risks. To compound the problem, the stockholders are not managing the Board. This seems like a sales opportunity for those of us who are InfoSec professionals. There *does* exist a well-defined IT governance model: see http://www.isaca.org/cobit.htm. There is also a model for accountability that I personally like (but at which everyone would like to duck and run for cover) . . . see http://csrc.nist.gov/sec-cert/SP-800-37-v1.0.pdf (the certification and accreditation process). So there *does* exist a model for oversight and a mechanism for accountability and assurance. Just can't figure out how to sell them. Problem is, there is a tremendous educational process that needs to happen before the patients realize they're sick, and I haven't figured out how to fund the process . . . 8-( It gets back to Paul's analogy of the IT department as the Electoral College, to which I subscribe, but it's *still* an educational process . . .
Sorry to be so cynical, but ...
Heh. Don't think you're any more cynical than anyone who has been in the business for a while . . . -- George Capehart PGP Key ID 63F0F642 at http://pgp.mit.edu "We did a risk management review. We concluded that there was no risk of any management." -- Dilbert _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: tunnel vs open a hole, (continued)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole Bill Royds (Apr 10)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
- Re: tunnel vs open a hole Dave Piscitello (Apr 10)
- Re: tunnel vs open a hole Adam Shostack (Apr 09)
- Re: tunnel vs open a hole Mike Frantzen (Apr 10)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Joseph S D Yao (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Duncan Sharp (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 16)
- Re: tunnel vs open a hole Magosányi Árpád (Apr 11)
- Re: tunnel vs open a hole Gary Flynn (Apr 10)
- Re: tunnel vs open a hole Paul Robertson (Apr 10)
- Re: tunnel vs open a hole Paul Robertson (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 14)