Corporate theology dictates ‘defense-in-depth’ but the reality is that organizations will only be as secure as its risk profile. The risk profile below is a generic picture meant to illustrate this across various industries.

Your job as an IT security professional is to do your best to secure your organization, and to learn the difference between corporate theology and reality: because spending your entire life securing a university isn’t going to help you sleep at night. Universities, for the most part, are blase about security.

Q) Are you secure?

A) To the hilt! (of my risk profile)

Risk Profiles


The smaller the risk profile the higher the security. The larger the risk profile the lower the security.

  1. National Security Agency = Super Duper Secure
  2. Bank = Super Secure
  3. FMCG = Secure Enough
  4. University = Insecure!

There are grocery companies which have more secure environments than banks – are they doing the right thing? Shareholders might have other ideas about the correction allocation of cash to a non context division of the business.

Security costs money and has to be tailored to the core/context function of a business.