There are many holes in this, but I think they miss some important points.
First is setting IT HR to look for Infosec.
That is because many people think InfoSec is a IT function as opposed to an organizational function. This goes in cycles: 20 years ago there was the debate: “Should Infosec report to IT?” The overall decision was no;. Infosec might need to ‘pull the plug’ on IT to protect the organization.
Second there is the vast amount of technology claiming to do InfoSec.
It is all network (and hence IT) as opposed to business fulfilment. This has now spread to “Governance”. You can buy governance software. What does this do for the ethical outlook of the executive, the board and management? How is Governance tied to risk management and accountability and visibility by this software?
Technology won’t solve your problems when technology *is* your problem.
InfoSec is about protecting the organization’s information assets: those assets can be people, processes or information. Yes technology may support that just as technology puts a roof over your head (physical security) and somewhere to store the information. Once this was typewriters, and hand-cranked calculators and filing cabinets, and copying was with carbon paper. The technology may have changed but most of the fundamental principles have not. In particular the ones to do with attitudes and people are the same now as they were 50 or 100 years ago.
- Bruce Schneier on the mic: InfoSec 2012 (blog.bt.com)
- InfoSec Sniffs Out Security Risks (prweb.com)
- Incomplete Thought: Offensive Computing – The Empire Strikes Back (rationalsecurity.typepad.com)
- The Infosec Investment Equation: Can You Solve It?… (neirajones.blogspot.com)
- Myth or Fact? Debunking 15 of the Biggest Information Security Myths (tripwire.com)