Shostack + Friends Blog Archive


"What your CEO thinks about security"

Larry Poneman writes:
Unfortunately, CEOs have persisted in focusing on four basic questions that too often stump the most savvy IT professionals:

  • What is the security return on investment?
  • What is the probability of a catastrophic security failure?
  • What is the cost of self-insuring against security risks?
  • What are the tangible benefits of being an industry leader for security?

Unfortunately? It sounds to me like tending to fiduciary duty before spending money.

There’s some great insight into CEO attitudes towards security in here. But the people who need attitude adjustment are the security experts who think that our discipline deserves special treatment and attention. We need to start answering those fundamental questions, then we can look to see budgets that are more to our liking.

(From What your CEO thinks about security (and how to change it) Computerworld, via Info Security News.)

One comment on ""What your CEO thinks about security""

  • Iang says:

    I agree! Couldn’t have put it better…
    The sooner security people start moving over to thinking about security as a risk and reward process – where failures are good because they show us where to concentrate efforts – the more security we can deliver.

Comments are closed.