Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

To Evangelize Security, Get Out Of Your Comfort Zone

If security professionals want to change corporate attitudes and culture, they need to step out of the echo chamber

I'm not a security professional -- I can't configure a firewall or hack my way out of a paper bag -- but I've been lucky enough to live and work in the info security community for almost a decade now. For me, last week's RSA Conference in San Francisco was old home week; nearly everywhere I walked, I saw someone I knew. And I was able to participate in nearly every conversation, because the topics were well-known and familiar.

This week, I'm in Nevada for Interop Las Vegas 2015, a conference that offers a much wider range of topics to a much broader IT audience. The faces are not as familiar here, and the conversations even less so, but I can't help feeling that information security's key messages are just as important here -- perhaps even more -- as they were in San Francisco last week.

IT security, I've learned, is a tight-knit community of people who "get it" -- that ethical security research is an essential part of the industry, that signatures are no longer enough, that a certain amount of risk is inherent in any enterprise security plan. Certain themes are accepted as truth, certain cost/benefit ratios are accepted as conventional wisdom. We argue over strategies, but we agree on most of the basic principles. When you're at a security conference, it's sort of like living in your home town.

When we move outside of our own circles, however, we members of the security community often find ourselves on unfamiliar ground. Here at Interop, for example, an audience of CIOs and data center professionals consider security an important plank in the IT platform -- but not the only consideration. Issues of business, bandwidth, performance, and storage play just as important a role as security -- and priorities may differ according to the situation. Security messages and practices must be taken in the context of a broader pallette of IT disciplines.

It is with this broader context in mind that Dark Reading helped to develop this year's Interop InfoSec and Risk Management Track, a group of educational sessions and workshops designed to help general IT professionals, as well as security professionals, lay the groundwork for key security decisions. While last week's RSA Conference provided direction primarily for the security pro, Interop is putting IT and security people into the same room -- so that they can learn and discuss common security topics in context of a bigger IT strategy, from their own unique perspectives. Think of a U.S. delegation hammering out its own foreign policy, and then applying it to the broader context of a meeting of the United Nations. That's the shift we make when we move from RSA Conference to Interop.

When security issues move out of the echo chamber and into the broader arena of general IT and business, they take on a different perspective and context. At Interop, we're speaking less about specific attacks and breaches and more about risk. We're talking less about individual products and technologies and more about costs and benefits. We're talking less about security operations and analytics and more about IT operations and end user enablement. The same issues are important, but the context changes because security is part of a bigger picture.

Move the circle further out, into the disciplines of business and organizational communication, and security becomes an even smaller piece of the puzzle -- not less important, but part of a longer list of priorities and challenges that are faced by the organization. From this perspective, security's most crucial aspects are still obvious, but the details are less visible.

As members of the security community, it's good for us to get away from our "home town" frequently, so that we can see our industry as it's seen from the outside -- the broader IT industry or the broader business arena. By stepping away from the picture, we get a better perspective, and we see it from the point of view of others who aren't so close to it. And that perspective may help us frame our conversations so that we're prioritizing what's important, and spending less time in the weeds.

If we want security issues to be recognized by the world, we'll have to step out of our community -- and our comfort zone -- and bring our most important messages to more general IT and business audiences. A home town is a great place to live, but it only reaches so far.


Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/29/2015 | 10:00:17 AM
RSA has no value to any professional, unless you are in sales
This article completely reinforces how utterly worthless RSA has become as a venue for sharing knowledge. It's a giant capsule of marketing and sales professionals who pander to the press, offer free drinks and stupid plastic schwag.
I suspect Interop is no different. How much can you really learn from a 20 minute session?
While it is true that security professionals must "step out" of our circle, you are mistaken to think the circle they came from is not an existing IT profession. Most of us are organic security folk who have been programmers, network professionals, server admins, or even accountants.
Preach to the choir?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
U.S. Air Force Sensor Data Management System extract75 has a buffer overflow that leads to code execution. An overflow in a global variable (sBuffer) leads to a Write-What-Where outcome. Writing beyond sBuffer will clobber most global variables until reaching a pointer such as DES_info or image_info...
PUBLISHED: 2020-09-25
The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option.
PUBLISHED: 2020-09-25
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
PUBLISHED: 2020-09-25
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .
PUBLISHED: 2020-09-25
In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551).