Is information security risk management an art or a science? As you might expect, the recent Ponemon survey reveals that risk management is not considered purely art, and it’s not considered to be purely science either.
Roland Cloutier, Chief Security Officer at ADP, and Tripwire’s Chief Technology Officer Dwayne Melancon discuss their views on the question of risk management as an art or a science.
Although there are many models (like FAIR) and key performance indicators available that allow us to apply scientific elements to infosec, those activities alone do not make risk-based security management a science.
On the other hand, there will always be a need for risk management and security professionals to leverage their own experience and knowledge to make determinations that are based on their own background and particular circumstances — the “art” part of the equation.
Tripwire recently sponsored the extensive survey on the state of risk-based security management with the Ponemon Institute. Key findings and more information on the survey can be found here.
Also, several infosec luminaries including Jack Jones, Jay Jacobs, Ben Tomhave, Alex Hutton, David Mortman, Bob Rudis, Donn Parker, Dan Arista, and Tim Erlin shared their insights in an extensive article here.
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock