This from a LinkedIn group post published on SecurityInfoWatch.com:
“In the ever evolving threat landscape that is IT security, some security executives have become so focused on taking an approach that meets compliance requirements that their attention has become diverted away from some of the actual risks facing their respective organizations.”
Hear, Hear! Many of the executives I talk with (typically SMBs) literally have no idea about security management. I have been told “we don’t care about improving security, we just want to pass the audit.”
I believe that most of the new regulations and standards could provide value. However, the way they are being implemented/enforced in a lot of organizations pretty much precludes any real security value that could be derived from them.
This article touches on these thoughts: Shifting from compliance based IT security to a risk-based model
