Re: tunnel vs open a hole

[George Capehart <capegeo () opengroup org>]

On Thursday 10 April 2003 05:19 pm, Joseph S D Yao wrote:
>

<snip>

> Well, yes.  Aren't all things, in the end?
>
> We are all of us accountable for governing our own actions.  This is
> such a horrifying notion to many that they duck and run for cover.
>
> Corporate identities, having no souls, must be governed and held
> accountable by a BoD.  Which may also have no souls.
>
> How does one get the attention of a BoD?  Two ways.  The smell of
> money, and the smell of litigation.  The carrot and the stick.  In
> the BoD of too many of today's companies, as Marcus has alluded to,
> the Ds don't care about the company, the product, or the worker. 
> They care about the revered "bottom line".  And this doesn't even
> refer to the actual worth of the company, its products, or its
> revenues - nobody looks at that, nowadays.  When they report the
> "worth" of a company, it's the price of a share of stock times the
> number of shares.  A truly fake number!  But it directly impacts the
> "bottom line" about which the directors are concerned - how much
> THEIR shares are worth, and those of the share holders who are only
> concerned about how much THEIR shares are worth.

Ahhhhh.  *Now* we're getting to the root cause (or "of all evil" . . . 
sorry 'bout that.  Couldn't resist . . .  :-> )  In the end, it is all 
an exercise in risk management . . . in every sense of the phrase.  And 
the problem is, "M"anagement is not managing all its risks.  To 
compound the problem, the stockholders are not managing the Board.  
This seems like a sales opportunity for those of us who are InfoSec 
professionals.  There *does* exist a well-defined IT governance model:  
see http://www.isaca.org/cobit.htm.  There is also a model for 
accountability that I personally like (but at which everyone would like 
to duck and run for cover) . . . see 
http://csrc.nist.gov/sec-cert/SP-800-37-v1.0.pdf (the certification and 
accreditation process).  So there *does* exist a model for oversight 
and a mechanism for accountability and assurance.  Just can't figure 
out how to sell them.  Problem is, there is a tremendous educational 
process that needs to happen before the patients realize they're sick, 
and I haven't figured out how to fund the process . . .  8-(  It gets 
back to Paul's analogy of the IT department as the Electoral College, 
to which I subscribe, but it's *still* an educational process . . .

> Sorry to be so cynical, but ...

Heh.  Don't think you're any more cynical than anyone who has been in 
the business for a while . . .

-- 
George Capehart

PGP Key ID 63F0F642 at http://pgp.mit.edu

"We did a risk management review.  We concluded that there was no risk
 of any management."  -- Dilbert

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards