Gbitten

Augusto Paes de Barros iniciou um debate no Goggle Wave sobre o processo de tomada de decisão de segurança. Segue a minha resposta sobre o assunto:

Hello Augusto
Security decisions are risk decisions (directly or indirectly), but what kind of risk does it matter? For me, the most important is the risk of a company doesn't achieve its objectives. Although all these security decision processes that we have today are deficient to address the organizations' objectives.
Let's see ourselves. Most of security professionals don't "waste" their time to define which is the objective of a security control and if it is aligned with company objectives . Even an enlightened professional, when proposes a control to minimize some threat, almost never evaluates the impact of controls on company's opportunities. A control, once it has been implemented, became sacred and no one can even propose its revoke, why? I would like to see something like "zero-based budgeting" on security process, so every year security personnel should justify every existing and planning security controls.

Marcadores: Gestão de segurança