ABSTRACT
Security is often viewed as an “after-the-fact” service that sets policy to protect physical and logical assets of the company. In the event that a policy is violated, the security organization is charged with making a record of the violation and correcting the circumstances that permitted the violation to occur. Unfortunately, the computer security department (CSD) is usually viewed in the same light and both are considered cost-based services. To change that school of thought, security must become a value-added business partner, providing guidance before and after incidents occur.
