« New US Dollar Bill Design for 2009
SAFECode Releases "Fundamental Practices for Secure Software Development" Document »

Are Business Risk and Technical Security Part of a Natural Fourier Series?

Decade after decade politics moves from regulated economies to de-regulated economies. Changes are usually are triggered by “unpredictable events” (in political speak). We are almost certainly about to go onto a period of heavy government regulation of the financial services industry where “unpredictable events” or “failure” in plain English is blamed on inadequate of regulation.

Internet cycles are of course generally shorter than political cycles yet at the same time closely tied. Over the last decade or so I have watched corporate security teams (and the information security industry as a whole) cycle through waves where governance, regulation and compliance was the short order of the day and waves where technical security was served up as the predominant answer. It’s hard to argue with risk management, it makes sense in the context of business conversations. It’s hard to argue with technical security, it makes equal sense in the context of technology discussions.

It seems to me the failures occur because there is a lack of connection between the two approaches. My issues with PCI are not about the intent, but about the implementation. We can all see how easy it is to have a PCI compliant application (some might say appropriately managed risk, and complying with regulations) that is wholly insecure.

I speculate that what’s actually at play in the big picture is a giant human Fourier series where convergence will only occur when technical security and business security connect.

scan0001

(Graphic when I have time)

Explore posts in the same categories: Certification, Compliance, Information Security Economics, Long Tail Security, Regulation, Security Industry

This entry was posted on October 8, 2008 at 10:25 am and is filed under Certification, Compliance, Information Security Economics, Long Tail Security, Regulation, Security Industry. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site.

2 Comments on “Are Business Risk and Technical Security Part of a Natural Fourier Series?”

  1. Alex Says:
    October 8, 2008 at 8:27 pm

    There’s a Fourier series re: new and interesting thoughts on blogs, too. You just created a peak, and that’s cool.

    I wonder about the axis there and the labels you’re using, “technical security” and “risk management”. I wonder if the “magnitude” of those are something you’re really wanting to plot, or if there is actually some other concept that might be a better fit. No idea what that is yet, but it’s very interesting.

  2. Jeremy Wilde Says:
    October 14, 2008 at 8:25 am

    Yes you can have a PCI compliant application that is wholly insecure and…..?
    You can have a secure application that is totally unusable?
    that is the GRC bit that I am looking forward to you addressing

Comment: