Terry Kurzynski is the founder and Senior Partner of HALOCK Security Labs. With a background in security, networking, application development, audit, projectmanagement and consulting, Terry has a unique skill set in providing strategic advice to clients. Terry has two related areas of focus; Incident Response Readiness and Risk Management. Terry has pioneered a service philosophy that he calls Purpose Driven Security. This philosophy can best be summarized as measured and preemptive. Together the dual emphasis allows organizations to utilize a limited security budget to maximize protection of their critical information assets.
Christopher P. Skroupa: Considering the constantly evolving tactics of hackers, is there such a thing as too many security measures?
Terry Kurzynski: Yes, in fact our legislation is built with the concept of risk management to balance the needs of business with their obligations to protect the public. Laws are made that include risk management in order to be business-friendly. Organizations are to assess risk in terms of impact to their mission and objectives as well as impacts to their obligations and ability to cause harm to others. Security measures are to be implemented to bring down the risk in all categories to an appropriate level, but never to zero. There is always some risk. If zero risk were the goal, we would not drive cars on highways knowing that 40,000 people will die each year in the U.S. from automobile accidents. But the economic benefits outweigh the risks. Each business and organization needs to develop its calculations for acceptable risk; calculations that are defensible in front of a judge and jury.
Skroupa: With laws and regulations calling for businesses to implement required cyber security protocols, where does negligence come into play?
Kurzynski: Organizations are left with a lot of variability in which controls they choose to implement, the priority of implementation, and the extent to which they are implemented. Negligence cases are based on one simple question: Did the organization perform its duty of care? If their duty of care was insufficient, they may have a higher liability due to negligence.
The question remains, how does an organization know if they have an appropriate level of care? To find out, we need to ask several questions;
- Does the organization perform a review on a regular basis for risks that could pose harm to others or may impact its obligations? e.g. protecting personally identifiable information (PII).
- Has the organization developed a definition for its acceptable risk as well as a calculus to prioritize risk?
- Does the organization have a plan and is it managing that plan to treat and reduce the risks that it has defined as unacceptable?
View the original content and more from this author here: http://ift.tt/1IKKLgX
from critical infrastructure alliance http://ift.tt/1fYIAzy
via IFTTT
No comments:
Post a Comment