or punish users. Our job is not to spend our time treating the rest
            of  the  organization  as  enemies  or  adversaries.  We  are  here  to
            support, protect, and work WITH the business to earn their trust,
            gain their respect, and, most of all, obtain their cooperation.

            If you want to be a security professional, then you need to take
            this approach. The security professional is a strategist, architect,
            engineer, visionary, and planner. She knows how to get the most
            benefit  from  the  few  resources  available  and  build  a  security
            program  that  is  part  of  the  business,  closely  aligned  with  the
            priorities and risk appetite of senior management.








            Governance
            Every few years, we see specific terms become a central part of
            our vocabulary. In the past few years, the word of choice has been
            "governance." (In recent years it was "prime," "enabler," or other
            such meaningless terms).  Over this same period, there has been
            a lot of emphasis placed on governance, but it is surprising to see
            that many people still struggle to  define what  management is.
            Governance is based on the concept of oversight, responsibility,
            accountability, and ownership of an asset. IT governance is the
            responsible protection of the IT assets of an organization from
            harm. The purpose of IT governance is the principle of assigning
            and accepting responsibility for managing IT systems, hardware,
            data, networks, and monitoring systems. Without ownership, no
            one  is  responsible,  and  therefore,  no  one  person  can  be  held
            accountable for the safeguarding of the asset. If a group of people