In serious mode for a moment, I think this could be very important.
Without wanting to repeat some already well discussed maxims, security is a business issue, and treating it as such makes much more sense than delving into the technical nitty-gritty, which frankly anyone can understand given enough time because it's not based on anything except logic. If you can do Sudoku, you can configure a firewall (I was a techie for many years). Thinking in business terms takes experience, and thinking quickly in business terms requires lots of experience before useful models are created. Mike Rothman's P-CSO is a perfect example of that in our little community for example.
What RaviChar has done here is turned security into a Maslowian hierarchy of needs. Simple, but effective. It makes you think. It makes me think that there needs to be more work done in this area. It makes me think that there are a whole set of ramifications, compensating controls and legislation that needs to be re-considered. This has implications for compliance beyond just "it's not good enough", "it has no teeth", "it's a business document, not a technical document".
I'm going to digest this before I go off on one, but I think as many people as possible should be considering this, and giving feedback. You can't do it on Ravi's site without a blogharbour account, but you can do it here for free.
Please do so.
No comments:
Post a Comment