I have been in this field for over 30 years and this is the most exciting time to be dealing with security and risk management. The good news is that there are more tools, resources and support for the industry out there now than at any time in the past. The potential downside of that is there are a lot more people using a lot of different methods to try have a less-than-desirable effect on all of us.

Businesses need to look at a number of different methods to deal with things like web attacks, social engineering, identity theft, scams, compliance and plain, old-fashioned theft. Security, Risk Management and Compliance are no longer items to be looked at after big decisions are made. Rather, these three key components should be part of every key decision. Every decision has an inherent level of risk. I do not advocate inserting controls for the sake of controls or compliance just as I do not advocate ignoring risk and hoping that nothing happens. Every good decision should be made by looking at the potential downside of little or no controls and compare that with the potential downside of the cost of controls. The right balance is the right answer (see diagram). (read more…)