Wednesday, 16 May 2007

The difference between business people and InfoSec people

OK, so TJX’s Q1 results apparently show “no noticeable decline in customer numbers” since the data breach. In this article an analyst from Avondale Partners is quoted as saying:-


"It still looks like there has been no meaningful fallout from the data systems breach as it relates to customer traffic," said Patrick McKeever, an analyst with Avondale Partners. "They did pretty well, all things considered."


The “they did pretty well” approach is a real problem in the InfoSec arena in my opinion. Short sighted and blinkered views of the “hear and now” are the domain of business people. They look at “today’s” results with “today’s” profits and “today’s” performance. InfoSec looks at “tomorrow’s” vulnerabilities, “tomorrow’s” threats and “tomorrow’s” attacks.

Basically, business people look at what IS happening, InfoSec people look at what MIGHT happen.

Maybe this is one of the fundamental reasons why business and InfoSec rarely see eye to eye without a very enlightened business person and a very enlightened InfoSec person at either end.

Posted by Andrew Mason at 10:10

Labels:

Subscribe to: Comment Feed (RSS)