I’m fresh off of a couple of weeks of getting new data and new perspectives from “herds” of security people by spending time hanging around their watering holes.

For example, I spent some time at Black Hat, hearing from others on what they are doing to improve security.  I have been spending time with a couple of ISACs (Informatino Sharing and Analysis Centers).

I have been lurking on a listserv of risk analysts to hear the latest views on infosec risk frameworks.  And so on. Next month, I will be hanging around some different watering holes, this time in groups oriented and comprised of C-level security executives.

The interesting thing to me is how little overlap there is between these groups,  and how limited the “senior executive” involvement is in these groups.  This feels like missed opportunity to me.

In a sense, I think this is an echo of the problem I talk about all the time here:  there’s a big gap between the “doers” and the “suits” in the business.  They don’t always know how to talk to each other, and neither seeks out opportunities to listen to the other group.

Unlike the watering hole analogy though, these groups don’t have a hard & fast predator/prey relationship, so we should be able to solve this.

As someone who’s watching each of these crowds, it feels like we’re missing the opportunity to cross-pollinate information between these groups.  I don’t know how to solve that, but am interested in hearing your thoughts – especially if you know of examples where this is working.

I’d love to hear from you.


Related Articles:


P.S. Have you met John Powers, supernatural CISO?

Categories Risk-Based Security for Executives, , IT Security and Data Protection, , ,

Tags , , , , ,

SANS Endpoint Security Maturity Model
  • Wayne

    While we have work to do I believe the company I am at is on the right track with this. One key element for us has been looking at Info Sec and IT in general like we would finance or HR. There is a whole domain of knowledge that most VPs, Directors and Managers don't need to know about finance or HR, but there is some core knowledge require as a part of their job.

    The trick is getting the domain experts to come down to a level others can understand and getting the non-experts up to a level of foundational knowledge. There is no easy or quick road and I spend a lot of time meeting with people to discuss Information Security or building tools in Excel to simplify data collection. For key departments I have meetings at least every quarter, some I have monthly, to discuss Info Sec issues, trends and solicit feedback.

    One article I read a long time ago proposed that issue was due to Info Sec needing two types of leaders, one business and one technical. The problem, as they wrote, is that one person will rarely have sufficient skill in both domains to be effective but that is what we currently expect.

  • Phil Agcaoili

    Without reinventing the wheel, this is why "mature enough" companies have corporate security or executive security councils with senior members from legal, HR, finance, IT, and other business groups to periodically and consistently discuss the security risks to the business in order to help, inform, guide, and invest in security of the company.

Dwayne Melancon

Dwayne Melancon has contributed 141 posts to The State of Security.

View all posts by Dwayne Melancon >