Most of the premise of this week's Security Standard conference in Boston appears to be that CIO's, CSO's and IT security practitioners have to treat security as a business process just like any other. My perspective is that treating IT security like a business process is like treating a tactical military strike force as a business. While maintaining the capability of military forces could be a process open for improvement by applying some business discipline, actually fighting battles and overcoming opposing forces does not have much of the "business process" about it. Security is much more akin to fighting a battle than it is to "aligning business objectives".
I have a feeling that the actual content of this conference will be a little more pithy. Stay tuned as I continue to blog LIVE from Hynes Center in Boston.