Several weeks ago I wrote about how compliance and audit executives might approach cyber-security risks, and foremost was the point that “cyber-security” should be about developing a strong process to govern the information you have, rather than a series of tools and defenses you deploy to keep intruders at bay. Today I want to revisit that subject from a different angle: from the perspective of the cyber threat, which is also about developing a strong process to govern the information you have—except that someone else is trying to govern your information, rather than you.
