World View
Oui, Virginia, There Is a Hell
Wherein our intrepid American CISO sits before a European audit committee?
By Paul Raines
the value of following an international standard. This was not the United States, they assured me.
Europe, they huffed with a superior air, follows international best practices in security. What was unsaid
but implied was that their American cousins hadn't quite risen to this level of sophistication. I smiled
politely and endured the lecture. The best that could be said was that the more time they spent
pontificating, the less time they had to nitpick over my report.
Granted, this interaction was partly about who had the biggest uvulas, so to speak. But it also
illustrated a fundamental difference in the way audits are conducted on both continents. In the United
States, audits are about ensuring that sufficient controls are in place to mitigate risks. Thus, the audit
findings tend to emphasize lapses in application and network security. In Europe, audits tend to focus
on following a predefined process, being transparent in the actions taken, precisely defining policies
and procedures, and adhering to international standards.
Part of the difference lies in the fact that ISO standards enjoy a wider adoption rate in Europe. It
might also be cultural in that Europeans have spent generations developing technical standards
the railroad and telegraphs come to mind
whoever wins the struggle of market domination.
Given these differences in culture, is it any wonder that IT audits in America and Europe differ so
widely? Americans and Europeans really don't speak the same language. C'est la vie dans la grande
ville.
Paul Raines is CISO of a nonprofit group in The Hague, Netherlands. Send feedback to Senior Editor
Sarah D. Scalet at sscalet@cxo.com.
Other stories by Paul Raines
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
