Introduction
The belief that a company will never face a security or compliance incident is rather naive but still held by many business managers. They would rather maintain their reactive approach than invest time and money in a proactive, systematic approach. Should an issue arise or a business unit receive a high degree of public attention, the incident is addressed, and this process of doing so has come to be known as a compliance program.
To exaggerate this a little, imagine the following series of events:
- Find out that you have an issue
- Start panicking
- Get management buy-in to throw money and time at the issue
- Implement your solution as publicly as possible to show what a great job you are doing
- Pray that the issue is truly addressed
In other words, what is happening here is that the issue is identified and addressed, but there is never a true assessment of the general environment or the value of the issue addressed.
Based on my experience, this reactive approach wastes time and money. Policies...
