An interesting article by Joseph Granneman:
For many years, companies have focused their security efforts on implementing rules to lock down the end user. I learned the hard way that this strategy doesn’t necessarily lead to better security.
In the past, I believed as many of you do, that implementing a security program meant taking control of as many factors in the environment as possible. In 2009, when I read a paper by Microsoft Research’s Cormac Herley that criticized this tactic, I was shocked and outraged. He argued that information security programs often focus too much on policies and procedures that don’t actually reduce risk and ultimately increase costs. At the time, I was a CSO like many others — scraping for resources in both staffing and budgets. The last thing I needed was resistance to the policies and procedures I tried to put in place.
Read the rest here.