Closing the Gap Between Assessment and Defense

By Sean Martin  |  Posted 07-30-2010 Print


EUC with HCI: Why It Matters

Verizon's Hutton first referred to implementing a GRC program without any measurement as governance and compliance via superstition. Without measurement, an organization has nothing of substance to point to in order to confirm that what it is doing, it is doing well; that it is indeed mitigating risk. "We can't talk about what we can't see -- we can't see what we don't talk about," added Paypal's Miller.

Hutton also suggested that, in order for organizations to succeed in managing risk, they must embrace and promote cross-functional collaboration and trusted community information disclosure. (This is a common theme in many of this year's BlackHat sessions, including the conference's opening keynote.)

Defining 'systems' that capture every aspect of the information flow allows PayPal to expose all potential areas of risk to its business, said Miller, who is responsible for minimizing exposure to fraud for PayPal users. The systems that she defined in her sample scenario at the Black Hat session included internal business machines and perimeter protection appliances, as well as the partner and end-user machines that access the network.


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.

By submitting your information, you agree that cioinsight.com may send you cioinsight offers via email, phone and text message, as well as email offers about other products and services that cioinsight believes may be of interest to you. cioinsight will process your information in accordance with the Quinstreet Privacy Policy.

Click for a full list of Newsletterssubmit