RE: [IDS] IDS Common Criteria

Robert: you say "However, many have jumped on "security is a process" in order to burden their organizations with overweight processes. Moreover, narrow minded bureaucrats often use "security is a process" to prevent talented/educated people from actually getting their job done -- with a detriment to an organization's security. I see organization after organization where process is the enemy of security."

I agree with your conclusion but I wonder...are you suggesting the intent is to burden or the outcome/result of processes is to burden the organization (I'm wondering if you're seeing something less ignorant and more insidious here)?

Either way, does this then require that security folk engage in better bureaucratic speak (to explain to the advocates of process for the sake of process what really is needed) or better security by way of little or no budget (without their support, I get no support)? By that, I mean is the obstacle I face in the scenario you present above (which is my very situation - my CIO believes he knows security because he read Secrets and Lies) my inability to converse with the brass or is it my lot in life to always fight their ignorance and vulnerability to what often amounts to marketing spin?

Or have I missed your point altogether?

respectfully,

parnelli

parnelli_vondel@yahoo.com

• "Graham, Robert (ISS Atlanta)" <rgraham@iss.net> wrote:
  > From: Randy Taylor [mailto:gnu@charm.net]
  

  ---