Security Activities and Operational Risk

I see a lot of IT security organizations engaging in wide range of security "activities". I use this term to distinguish these companies from the very rare "program" of IT security. IT security professionals are often guilty of identifying a risk and then finding a tool that addresses that risk. They fail to start with the assets that need protection and the identification of each asset's vulnerabilities.

IT professionals can be excused in doing this because security is really a new discipline for IT. Ten years ago, it was difficult to find an IT security professional. Although they are much more plentiful now, they often lack a solid foundation in security processes. Without the initial groundwork of an asset/risk assessment, IT security activities are highly random and seldom contextualized or programmatic. This lack of foundational security processes leads IT security efforts into the corporate black hole of "operational security".

Please see my post on February 22 about the distinction between operational risk and organizational risk. Security data is different from security computer hardware or other physical security. The operational risk associated with data is very minor while the organizational risk is quite high. This is exactly the inverse of most physical security issues.