Archive for February, 2007

What good is a parachute to a skydiver when it is not opened or fails to open? Likewise, what good are security tools/controls/processes to a company when it is not properly implemented or failed to be implemented properly?

Just purchasing more and more tools and establishing multiple security controls and processes without proper implementation may lead one to what one could call “placebo” security.

Implementing security properly would entail a thorough investigation of tools that would handle (mitigate/transfer/eliminate) risk, establishment of processes that would “enable” not “impede” the business(es) that you support, education of your personnel to want to do security because they WANT to, not because they HAVE to and a governance framework  to enforce policies, standards and procedures.

So, what are we talking about - What happens when a skydiver’s parachute is not opened or fails to open …

Just wondering, in today’s day and age, what constitutes the DNA of an effective InfoSec Professional -
Is it one who is versatile with a breadth of experience across various technology or is it someone who is super specializes in one area of security? Is it one with an entreprenuerial spirit, a visionary, …

I would like to compile various opinions as to what one thought was the DNA of an effective InfoSec Professional

Merriam-Webster defines effective as “producing a decided, decisive, or desired effect”Â