Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

To Evangelize Security, Get Out Of Your Comfort Zone

If security professionals want to change corporate attitudes and culture, they need to step out of the echo chamber

I'm not a security professional -- I can't configure a firewall or hack my way out of a paper bag -- but I've been lucky enough to live and work in the info security community for almost a decade now. For me, last week's RSA Conference in San Francisco was old home week; nearly everywhere I walked, I saw someone I knew. And I was able to participate in nearly every conversation, because the topics were well-known and familiar.

This week, I'm in Nevada for Interop Las Vegas 2015, a conference that offers a much wider range of topics to a much broader IT audience. The faces are not as familiar here, and the conversations even less so, but I can't help feeling that information security's key messages are just as important here -- perhaps even more -- as they were in San Francisco last week.

IT security, I've learned, is a tight-knit community of people who "get it" -- that ethical security research is an essential part of the industry, that signatures are no longer enough, that a certain amount of risk is inherent in any enterprise security plan. Certain themes are accepted as truth, certain cost/benefit ratios are accepted as conventional wisdom. We argue over strategies, but we agree on most of the basic principles. When you're at a security conference, it's sort of like living in your home town.

When we move outside of our own circles, however, we members of the security community often find ourselves on unfamiliar ground. Here at Interop, for example, an audience of CIOs and data center professionals consider security an important plank in the IT platform -- but not the only consideration. Issues of business, bandwidth, performance, and storage play just as important a role as security -- and priorities may differ according to the situation. Security messages and practices must be taken in the context of a broader pallette of IT disciplines.

It is with this broader context in mind that Dark Reading helped to develop this year's Interop InfoSec and Risk Management Track, a group of educational sessions and workshops designed to help general IT professionals, as well as security professionals, lay the groundwork for key security decisions. While last week's RSA Conference provided direction primarily for the security pro, Interop is putting IT and security people into the same room -- so that they can learn and discuss common security topics in context of a bigger IT strategy, from their own unique perspectives. Think of a U.S. delegation hammering out its own foreign policy, and then applying it to the broader context of a meeting of the United Nations. That's the shift we make when we move from RSA Conference to Interop.

When security issues move out of the echo chamber and into the broader arena of general IT and business, they take on a different perspective and context. At Interop, we're speaking less about specific attacks and breaches and more about risk. We're talking less about individual products and technologies and more about costs and benefits. We're talking less about security operations and analytics and more about IT operations and end user enablement. The same issues are important, but the context changes because security is part of a bigger picture.

Move the circle further out, into the disciplines of business and organizational communication, and security becomes an even smaller piece of the puzzle -- not less important, but part of a longer list of priorities and challenges that are faced by the organization. From this perspective, security's most crucial aspects are still obvious, but the details are less visible.

As members of the security community, it's good for us to get away from our "home town" frequently, so that we can see our industry as it's seen from the outside -- the broader IT industry or the broader business arena. By stepping away from the picture, we get a better perspective, and we see it from the point of view of others who aren't so close to it. And that perspective may help us frame our conversations so that we're prioritizing what's important, and spending less time in the weeds.

If we want security issues to be recognized by the world, we'll have to step out of our community -- and our comfort zone -- and bring our most important messages to more general IT and business audiences. A home town is a great place to live, but it only reaches so far.


Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/29/2015 | 10:00:17 AM
RSA has no value to any professional, unless you are in sales
This article completely reinforces how utterly worthless RSA has become as a venue for sharing knowledge. It's a giant capsule of marketing and sales professionals who pander to the press, offer free drinks and stupid plastic schwag.
I suspect Interop is no different. How much can you really learn from a 20 minute session?
While it is true that security professionals must "step out" of our circle, you are mistaken to think the circle they came from is not an existing IT profession. Most of us are organic security folk who have been programmers, network professionals, server admins, or even accountants.
Preach to the choir?
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...
PUBLISHED: 2021-04-16
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...