The other day I was subject to the assertion that the only asset an IT security organizations should care about is data. Now being in the application security business, I should have been jumping at this validation but couldn't.
The IT security org needs to understand what threats the business faces from its technology systems. In many cases this is not a direct threat to the confidentiality or availability of data. Some attacks may be focused on other aspects of the systems like integrity or even cost. Read more...