Verizon's Hutton first referred to implementing a GRC program without any measurement as governance and compliance via superstition. Without measurement, an organization has nothing of substance to point to in order to confirm that what it is doing, it is doing well; that it is indeed mitigating risk. "We can't talk about what we can't see -- we can't see what we don't talk about," added Paypal's Miller.
Hutton also suggested that, in order for organizations to succeed in managing risk, they must embrace and promote cross-functional collaboration and trusted community information disclosure. (This is a common theme in many of this year's BlackHat sessions, including the conference's opening keynote.)
Defining 'systems' that capture every aspect of the information flow allows PayPal to expose all potential areas of risk to its business, said Miller, who is responsible for minimizing exposure to fraud for PayPal users. The systems that she defined in her sample scenario at the Black Hat session included internal business machines and perimeter protection appliances, as well as the partner and end-user machines that access the network.
-
The Role of Standards in Cloud Security
Security is often cited as a primary cause for concern...
Watch Now -
Ensuring Resources for Mission Critical Workloads
Application workloads can thrive in cloud environments,...
Watch Now -
Improving Security in the Public Cloud
One of the main concerns about moving data to a public...
Watch Now
