ABSTRACT
The minimalist approach is the wrong attitude for an execu-
tive. Such an attitude gets propagated throughout an organi-
zation. It establishes a “tone at the top.” The tone at the top is
what many regulatory agencies and auditors look for when
performing an overall assessment of an organization. When
doing compliance and security reviews, security profes-
sionals look for vulnerabilities and levels of risk, but they
also talk to people throughout the organization in order to
gauge their feelings, their attitudes about security, and their
awareness of their personal responsibility to protect the
confidentiality, integrity, and availability (CIA) of the data
with which they work.When an auditor or examiner gets the
sense that an organization does not appear to be prepared, he
or she is going to be taking a closer look. When the attitude
at the top is that security is unimportant, it will permeate into
other areas of the organization and be recognizable during
an assessment performed by experienced security or audit
professionals. An auditor or examiner is likely to dig much
deeper, request more documentation, or perform more tests
when the organization seems unready. Security profes-
sionals doing an assessment should scrutinize an organiza-
tion more thoroughly, because, if the attitude is lax, then the
risk is probably not adequately managed.