Security's Everyman

Security's Everyman

Thursday, September 11, 2008

FOI in depth

OK, so what started out as a funny comment on Twitter has started to turn into something. The FOI (Failure of Investment) concept has been picked up on by a few others who have added to it, questioned it and some think it has a future. I read one post in particular that I wanted to comment on and expand my thoughts a bit. So instead of doing it via a comment on the blog I decided to do it here. Before I go any further I recommend that you hop over to Jack Daniel's blog at Uncommon Sense Security and read his thoughts on this. After all he was kind of the brain child behind this. I'll wait patiently for you to read it and then I'll continue.

Oh good, You're back.

Today, Sara Peters, who blogs at Security Provoked the blog of CSI (Computer Security Institute) picked up on the FOI concept and said that she liked it but wasn't sure she bought it yet. One of her concerns was the FOI focused too much on straight security and not enough on risk management. I would say to her that FOI is all about risk management. After all security is managing risk. If we don't support the business, by understanding it and it's goals, then we have failed. If we don't look at what we are doing in light of the business objectives then we are not securing the business but we are securing the technology which misses the mark. Security for the sake of security is no security at all.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.