Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

To Evangelize Security, Get Out Of Your Comfort Zone

If security professionals want to change corporate attitudes and culture, they need to step out of the echo chamber

I'm not a security professional -- I can't configure a firewall or hack my way out of a paper bag -- but I've been lucky enough to live and work in the info security community for almost a decade now. For me, last week's RSA Conference in San Francisco was old home week; nearly everywhere I walked, I saw someone I knew. And I was able to participate in nearly every conversation, because the topics were well-known and familiar.

This week, I'm in Nevada for Interop Las Vegas 2015, a conference that offers a much wider range of topics to a much broader IT audience. The faces are not as familiar here, and the conversations even less so, but I can't help feeling that information security's key messages are just as important here -- perhaps even more -- as they were in San Francisco last week.

IT security, I've learned, is a tight-knit community of people who "get it" -- that ethical security research is an essential part of the industry, that signatures are no longer enough, that a certain amount of risk is inherent in any enterprise security plan. Certain themes are accepted as truth, certain cost/benefit ratios are accepted as conventional wisdom. We argue over strategies, but we agree on most of the basic principles. When you're at a security conference, it's sort of like living in your home town.

When we move outside of our own circles, however, we members of the security community often find ourselves on unfamiliar ground. Here at Interop, for example, an audience of CIOs and data center professionals consider security an important plank in the IT platform -- but not the only consideration. Issues of business, bandwidth, performance, and storage play just as important a role as security -- and priorities may differ according to the situation. Security messages and practices must be taken in the context of a broader pallette of IT disciplines.

It is with this broader context in mind that Dark Reading helped to develop this year's Interop InfoSec and Risk Management Track, a group of educational sessions and workshops designed to help general IT professionals, as well as security professionals, lay the groundwork for key security decisions. While last week's RSA Conference provided direction primarily for the security pro, Interop is putting IT and security people into the same room -- so that they can learn and discuss common security topics in context of a bigger IT strategy, from their own unique perspectives. Think of a U.S. delegation hammering out its own foreign policy, and then applying it to the broader context of a meeting of the United Nations. That's the shift we make when we move from RSA Conference to Interop.

When security issues move out of the echo chamber and into the broader arena of general IT and business, they take on a different perspective and context. At Interop, we're speaking less about specific attacks and breaches and more about risk. We're talking less about individual products and technologies and more about costs and benefits. We're talking less about security operations and analytics and more about IT operations and end user enablement. The same issues are important, but the context changes because security is part of a bigger picture.

Move the circle further out, into the disciplines of business and organizational communication, and security becomes an even smaller piece of the puzzle -- not less important, but part of a longer list of priorities and challenges that are faced by the organization. From this perspective, security's most crucial aspects are still obvious, but the details are less visible.

As members of the security community, it's good for us to get away from our "home town" frequently, so that we can see our industry as it's seen from the outside -- the broader IT industry or the broader business arena. By stepping away from the picture, we get a better perspective, and we see it from the point of view of others who aren't so close to it. And that perspective may help us frame our conversations so that we're prioritizing what's important, and spending less time in the weeds.

If we want security issues to be recognized by the world, we'll have to step out of our community -- and our comfort zone -- and bring our most important messages to more general IT and business audiences. A home town is a great place to live, but it only reaches so far.

 

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SgS125
100%
0%
SgS125,
User Rank: Ninja
4/29/2015 | 10:00:17 AM
RSA has no value to any professional, unless you are in sales
This article completely reinforces how utterly worthless RSA has become as a venue for sharing knowledge. It's a giant capsule of marketing and sales professionals who pander to the press, offer free drinks and stupid plastic schwag.
I suspect Interop is no different. How much can you really learn from a 20 minute session?
While it is true that security professionals must "step out" of our circle, you are mistaken to think the circle they came from is not an existing IT profession. Most of us are organic security folk who have been programmers, network professionals, server admins, or even accountants.
Preach to the choir?
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...