Nobody can get enough guidance about cyber-security these days, and the New England Chief Audit Executives group is no exception. I attended the group’s winter meeting here in Boston last week, and that’s all we talked about for two solid hours. These folks had good ideas galore about managing cyber-security risk, so let me recap the most important ones here.
First, worry more about the process of how information is governed at your business than about the tools you use to protect it. Last week’s discussion started with a panel of audit and IT executives, and every one of them agreed on this point. Tools address one specific risk, and they may do that quite well—but they may also be useless for every other risk. And if your process for governing information is sloppy overall, those other risks will hit you eventually. The tools you have won’t do you much good then.
