The following guest post is by Dwayne Melancon, CISA, chief technology officer, Tripwire, an IT security software company.
The SEC is getting pretty explicit about information security risk. You have to identify it, you have to declare it, and you have to manage it. The problem is, a lot of the CEOs I talk with have no clue what they are accepting when they sign off on information security risk.
Sometimes, they blindly accept the cryptic recommendations from their chief information security officers (a.k.a., CISO). Sometimes, their guts tell them there may be a problem, but they don’t know which questions to ask to figure out what’s really going on. In both cases, I think it’s a problem that senior business managers are accepting risks they don’t fully understand. How can this represent the best interests of your stakeholders?