It’s easy for infosec professionals to become comfortable in the world of information systems, firewalls, security patches, and intrusion detection. We sometimes forget that we’re part of an ecosystem that’s supposed to help the organization achieve its corporate objectives. As Michael Cloppert put it, we should be active participants “in technical innovation, architecture, and the engineering process, making sure requirements are met in a way that balances risk with cost.”
I’ve been thinking about this quite a lot recently. A lot of the time my work is feels like information infrastructure security than information systems security. We sometime focus too much on protection a database or an application instead of taking a look at the overall goal of it. Each of those databases and applications and firewalls is part of an enterprise information system whose ultimate goal is business. Something I intend to correct in 2011.