Several weeks ago I wrote about how compliance and audit executives might approach cyber-security risks, and foremost was the point that “cyber-security” should be about developing a strong process to govern the information you have, rather than a series of tools and defenses you deploy to keep intruders at bay. Today I want to revisit that subject from a different angle: from the perspective of the cyber threat, which is also about developing a strong process to govern the information you have—except that someone else is trying to govern your information, rather than you.
This has been on my mind because I just attended the Institute of Internal Auditors’ national conference in Las Vegas, and as one would expect, cyber-security risks were all over the agenda. Everyone talking about the subject hammered on two themes. First, as companies move ever further into the world of Big Data—as we automate ever more business processes and create more data—our exposure to cyber threats will only get worse and worse. Second, the thieves and attackers behind those threats are getting smarter and more agile every day, and right now they’re often smarter and more agile than you.
