I enjoyed presenting at the SLA Meeting! Great people, very interesting questions, and overall a fun event! My talk was based on my recent book, Managing Knowledge Security (Kogan Page, 2007). There is already a blog entry about the talk , see – Infotoday http://www.infotodayblog.com/2008/06/18/can-you-keep-a-secret/
For those that attended the talk, please do share your comments with me on the talk. Also, do not forget to get your copy of Managing Knowledge Security
Interesting topics presented. I have read Prof. Desouza’s book, Managing Knowledge Security, and it provides a very thorough framework for confronting the issues that most executives place low on their priority list.
Among the literally thousands of concerns that consume most executives’ time, such as: financial reporting, compliance, profit margins, risk management, and constrained budgets…security figures low on most lists. Unfortunately, adversaries may relish in the lack of resources and attention paid to security.
Most executives might think – “I have a limited budget and there are so many immediate concerns. Why should I spend resources on something that MIGHT happen?”
The problem is that when “it” happens, every other priority is affected. Many corporations hire consultants from among the Big Four or other prominent firms in order to solicit an assessment of risk, probabilities, and exposure. Some corporations do undergo these types of exercises in order to gain some insight into their inherent or unique risks. Frequently, other companies go through a risk assessment exercise in order to justify why they should NOT spend money. It’s much easier to defer to the conclusions of a third-party “impartial assessment” than to base a decision to de-emphasize security on one’s own analysis. In addition, it is convenient to assign blame to a third-party if they end up making the wrong assessment.
Increasingly, due to shrinking budgets, many companies are choosing to accept risks instead of the more expensive options: remediating the risks or outsourcing the risk to a third-party.
In an age of limited resources, there are numerous opportunities for adversaries to exploit a lack of focus and a lack of attention to matters of security.
Qualification – I meant no disrespect to any Big Four Firm in my previous post. I was merely attempting to indicate that many companies engage these firms without really providing any guidance on the inner workings of their own organization. If companies do engage consulting firms, risk analysis should be based on a partnership between the consulting firm and the company.
Regarding LinkedIn –
It is amazing and scary at how much competitive intelligence you can gather through a free account. I’m sure that in the near future, LinkedIn will offer detailed reports to companies or individuals on how individuals are networked. This has very significant privacy implications. I will leave it to your imaginations…