Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

To Evangelize Security, Get Out Of Your Comfort Zone

If security professionals want to change corporate attitudes and culture, they need to step out of the echo chamber

I'm not a security professional -- I can't configure a firewall or hack my way out of a paper bag -- but I've been lucky enough to live and work in the info security community for almost a decade now. For me, last week's RSA Conference in San Francisco was old home week; nearly everywhere I walked, I saw someone I knew. And I was able to participate in nearly every conversation, because the topics were well-known and familiar.

This week, I'm in Nevada for Interop Las Vegas 2015, a conference that offers a much wider range of topics to a much broader IT audience. The faces are not as familiar here, and the conversations even less so, but I can't help feeling that information security's key messages are just as important here -- perhaps even more -- as they were in San Francisco last week.

IT security, I've learned, is a tight-knit community of people who "get it" -- that ethical security research is an essential part of the industry, that signatures are no longer enough, that a certain amount of risk is inherent in any enterprise security plan. Certain themes are accepted as truth, certain cost/benefit ratios are accepted as conventional wisdom. We argue over strategies, but we agree on most of the basic principles. When you're at a security conference, it's sort of like living in your home town.

When we move outside of our own circles, however, we members of the security community often find ourselves on unfamiliar ground. Here at Interop, for example, an audience of CIOs and data center professionals consider security an important plank in the IT platform -- but not the only consideration. Issues of business, bandwidth, performance, and storage play just as important a role as security -- and priorities may differ according to the situation. Security messages and practices must be taken in the context of a broader pallette of IT disciplines.

It is with this broader context in mind that Dark Reading helped to develop this year's Interop InfoSec and Risk Management Track, a group of educational sessions and workshops designed to help general IT professionals, as well as security professionals, lay the groundwork for key security decisions. While last week's RSA Conference provided direction primarily for the security pro, Interop is putting IT and security people into the same room -- so that they can learn and discuss common security topics in context of a bigger IT strategy, from their own unique perspectives. Think of a U.S. delegation hammering out its own foreign policy, and then applying it to the broader context of a meeting of the United Nations. That's the shift we make when we move from RSA Conference to Interop.

When security issues move out of the echo chamber and into the broader arena of general IT and business, they take on a different perspective and context. At Interop, we're speaking less about specific attacks and breaches and more about risk. We're talking less about individual products and technologies and more about costs and benefits. We're talking less about security operations and analytics and more about IT operations and end user enablement. The same issues are important, but the context changes because security is part of a bigger picture.

Move the circle further out, into the disciplines of business and organizational communication, and security becomes an even smaller piece of the puzzle -- not less important, but part of a longer list of priorities and challenges that are faced by the organization. From this perspective, security's most crucial aspects are still obvious, but the details are less visible.

As members of the security community, it's good for us to get away from our "home town" frequently, so that we can see our industry as it's seen from the outside -- the broader IT industry or the broader business arena. By stepping away from the picture, we get a better perspective, and we see it from the point of view of others who aren't so close to it. And that perspective may help us frame our conversations so that we're prioritizing what's important, and spending less time in the weeds.

If we want security issues to be recognized by the world, we'll have to step out of our community -- and our comfort zone -- and bring our most important messages to more general IT and business audiences. A home town is a great place to live, but it only reaches so far.

 

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SgS125
100%
0%
SgS125,
User Rank: Ninja
4/29/2015 | 10:00:17 AM
RSA has no value to any professional, unless you are in sales
This article completely reinforces how utterly worthless RSA has become as a venue for sharing knowledge. It's a giant capsule of marketing and sales professionals who pander to the press, offer free drinks and stupid plastic schwag.
I suspect Interop is no different. How much can you really learn from a 20 minute session?
While it is true that security professionals must "step out" of our circle, you are mistaken to think the circle they came from is not an existing IT profession. Most of us are organic security folk who have been programmers, network professionals, server admins, or even accountants.
Preach to the choir?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/1/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Threat from the Internet--and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15478
PUBLISHED: 2020-07-01
The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors.
CVE-2020-6261
PUBLISHED: 2020-07-01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
CVE-2020-15471
PUBLISHED: 2020-07-01
In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
CVE-2020-15472
PUBLISHED: 2020-07-01
In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
CVE-2020-15473
PUBLISHED: 2020-07-01
In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.