PROCESS MANAGEMENT vs. EFFECTIVE SECURITY

摘要

How does one evaluate the quality of a security system? One would like to think that it would be based on the capability of the system to prevent attacks? We bandy around terms such as 'risk-based', yet much of what we do is actually 'process-centric', often at the expense of security. Many of those who gathered at the Blue Skies Thinking workshop in Hong Kong in June admitted that they struggled to think in a 'blue skies' manner and were drawn into discussions whereby 'process' was deliberated first and, only then, the ability of that process to address the various threats to which we are exposed. Whatever the threat we need to respond to, surely the solution must either, and ideally, be to neutralise the threat, or, at the very least, to reduce our exposure to a level of risk which is acceptable?