Shostack + Friends Blog Archive


Corporate governance goals impossible (II)

Further quoting from that same article in the Register about the impact of new rules:

Business managers becoming fed up with FUD

In a separate study, more than a third of the 30 delegates to the Axis Action Forum admitted that their Board had never asked for an update on security or implications of security breaches. The finding suggests widespread boardroom indifference to security issues despite the high profile security has been given in the media and by numerous industry initiatives.

Firms only take security seriously in the aftermath of attacks, according to one delegate. Part of the reason could be that business managers are becoming inured to alarmist security pitches. Simon Linsley, head of consultancy and development, Philips said: “For years we have had to go to the Board with messages that create the Fear of God. We can no longer rely on these doom and gloom messages – we have to go to the Board with solutions that add value to the business.”

It’s about time! Why are those other 20 boards wasting their time on security, anyway? If your company isn’t suffering massive losses, then you’re either spending enough or too much on security. Let the board focus on the strategy for the company, and let the operations folks do their job.