Debates. They seem to be everywhere – especially now in the thick of the political season. Political debates are serious stuff. Other debates – like who was the better baseball player or who has the best burger – are much more frivolous. As an Oakland Raider fan in the middle of Kansas City Chiefs country, I have had my share of debates. Unfortunately, lately that debate revolves around who has had a worse decade. (For those of you less NFL-inclined, neither team has had rousing success for a more than uncomfortable time frame).
Last week, I was invited to join a debate online and write a rebuttal to an article written by Richard Steinnon, chief research analyst at IT-Harvest. As with all small industries, I know Richard from a long time ago – sharing a few pints at the Flying Saucer in Fort Worth while on an engagement when we were both at PricewaterhouseCoopers. Ahhh…the good old days. Richard’s article in Network World focused on “why risk management approaches FAIL in IT.“ I took the stance “why risk management can SUCCEED in IT.“ And now we have a debate.
Now I don’t think Richard and I are that far apart – nothing like some of our political counterparts seem to be in the recent debates. We both concede that IT security is a very complex problem. We both understand that the proliferation of devices, data and the endlessly changing threat landscape throws a monkey wrench in many security plans. We both acknowledge that asset management can be a challenging endeavor for any organization. However, I believe that risk management concepts are core to building a sustainable process to prioritize the stream of potential risks companies face in IT security.
IT security is a continuously evolving space where we are learning from the past, we are making progress towards a more methodical risk management approach and we can build the foundations of risk management methods that other risk disciplines such as financial risk management utilize. Are we there yet? No. But I believe we are on our way.
I encourage you to take a look at the articles and weigh in to the debate. It would be interesting to get the perspective of the community that has embraced GRC thinking in the enterprise. Leave your comments here below, comment on Network World or just have debate in your office at the water cooler. Either way, you can join in for the season of the debate. Why let the politicians get all the fun?