Good article - good posts......... In most instances, the budget and approval for the implementation of security and other types of controls fall into the realm of the business manager or management. Security professionals including CIOs, CISOs and the troops that support them are in the position of recommending, but not approving and allocating budgets. Until business adopts or integrates responsibility for limiting access or protecting image into its risk management process(es), they will always react based on the supposed checkbook. Conversely, security professionals need to employ better methods for communicating opportunities to management besides the traditional standby's of FUD (fear, uncertainty, doubt). Only after something happens does FUD really kick in as a motivator. Thoughts?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/305/30885#30885