CSO: what Attributes the company a leader in risk management should be?Ellis: this is a difficult thing to measure. I think the important thing is that the organization fully understand the risks that apply to them, and that they make educated decisions based on your risk profile. This is the organization that actually came out ahead, leading the way, determine the risk of a new model for themselves and choose the technologies and solutions that are right for their business. It’s about paving the way, not following someone else’s cookie-cutter.
The company seems to be spending a lot on security products, but not as much on strategic efforts. Do you think it’s any indication they already have an effective strategy in place? Or, they focus only on technology?In a down economy, you may not have spent time revamping your strategy. Hopefully, you’re exercising. It would be my guess with what many of these organizations do. I think what You see is an organization that says “see, I’m not going to try and rebuild my business continuity plans this year. It’s not like we’re actually adding a thousand people. Can I run with existing plans. It is much more important. Let’s go to execute on the strategy that we have not finished off the year. ” I think the industry often spend more time thinking about strategy and less time implementation. That’s what we see in the results of the survey: “Hey, let’s protect our work with go and execute on what people can see.” Many times companies can see the strategic changes in security, and if management is not able to see it, it may not have much perceived value.
Many companies seem to be skimping on disaster recovery and business continuity planning. Do you think there’s a reason for this beyond that is not a priority, or organizations believe bad things don’t happen to them?You should see individually. For many businesses, it is they have to take risks. I remember that after 9/11, there is an investment firm which is praised for their business continuity plans. It is one of the investment firm that has been on the World Trade Center, and everyone was holding them as this example of business continuity planning. They have a good plan in place and they keep their business running after an attack. Three years later, the company went out of business. The reason is–at the end of the day–they don’t really have a business continuity plan that deals with ways to keep your business a success after losing so many skilled knowledge workers. The bottom line is that there are some activities that are not worth planning for. And some of the companies, because of where they are in the development cycle or whatever, unable to put a disaster recovery plan in place.
Receive the latest test news, reviews and trends on your favorite technology topics