The article hits the high points of planning, but falls a little short for me.

These steps are chiefly useful to a new organization that is just organizing itself from a goverance standpoint. While a good overview, recommendations like these rarely address the chief problems faced by organizations who are trying to hammer entrenched cultures and technologies into some reasonable facimile of security best practice.

The fault lies with the approach: recommendations like thses assume security is a "new" organizational problem, when in fact it is an old problem that has simply been elevated to new priority. How to change their current security practices toward best preactices is more what companies need instruction in, I think, than just the ideal basics overview.


Bar Biszick-Lockwood
QualityIT
www.qualityit.net