Daily Archives: October 28, 2015


Consider this, controls are for auditors, processes are for managers. As someone who has been issuing guidance and helping companies to improve upon their information security for the past 17 years I’ve concluded the industry approach to information security is too narrow. Often times tools are purchased as a reaction to the latest threat or worse, a socially cool trend. To truly operationalize security, information security practitioners, particularly leaders (CISO’s), must focus on how to manage the security program, both data security and cyber security, based on performance of processes. Read Full Post

Controls are for Auditors, Processes are for Managers