12 Quotes by Paul Proctor

Ultimately the change has to come from the board down.

Workflow system support by vulnerability management system providers is becoming more important as the need for proactive risk management and remediation grows, ... Integrating prioritized vulnerability and risk data with trouble ticketing systems enables enterprises to more effectively address the vulnerability management lifecycle from detection through remediation.

Business lives by risk. But the concept of 'acceptable risk' is an oxymoron to many security professionals.

Large enterprise networks are typically exposed to hundreds of thousands of vulnerabilities and other security risks. The problem for IT teams is identifying the most critical high-priority risks and taking the necessary steps for remediation, ... Integrated vulnerability management and topology analysis should help organizations identify and appropriately prioritize remediation efforts.

The ability to determine what constitutes risk, and the requirement to report that risk to executive decision makers, can be a highly political activity requiring excellent written and oral communication skills with a good knowledge of business. Generally, these skills have been lacking in traditional technically-oriented information security specialists,

Message for IT people go get a business degree.

Anything that government and industry learn from hackers must be seen through the lens of their own risk management needs.

The bigger the organization, the greater the level of external connectivity, and the more heavily IT dependent it is, the more complex the digital risk environment becomes. Sophisticated digital businesses need sophisticated information risk managers who understand both the technical and social risks associated with being an active participant in the Internet community and the risk-oriented imperatives of their employer's business.

In some companies, operations and the business unit not only speak a different language, but have no way of talking about risks. Security people tend to think 'It's a risk, we can't have it,' whereas business people weigh risks and how they could affect the bottom line.