Dailydave mailing list archives
Re: Information Security Principles
From: Richard Thieme <rthieme () thiemeworks com>
Date: Thu, 11 Mar 2004 09:12:46 -0600
At 11:18 PM 3/10/2004 -0800, gf gf wrote:
I recently had the opportunity to meet with the head of IT Security for a large government agency. Although he didn't seem to be an expert on the technical details (no surprise there), I must admit that it was enlightening to see how he viewed things: talking about the goals of security (availability, authenticity, and confidentiality), risk assessment and management (see http://www.microsoft.com/technet/itsolutions/msit/security/mssecbp.mspx for a good use of this), security policies, and methodologies. I realize now that my training and experience have been mainly in the low level, applied end - what most of us would consider the meat - protocols, app security, OS internals, etc. I'd like to expand my horizons a bit, and look at things from the other end - more general, more abstract - getting the bigger picture on information security. Yes, we tend to write these things off as fluff - but there is something to be said for them, as well. What does everyone think about this?
I recently did a keynote for a conference for IT people at Medtronic and the head of IT told them explicitly that it used to be adequate to be good at IT to be in IT. Now, however, you have to be equally good at communication and also understand the business you're in or addressing and have business acumen ... of course, I never thought that talking to other people effectively about what you hope to do for them, understanding their real needs, and contextualizing that discussion in light of risk management, costs and liabilities, as well as information assurance was "fluffy," but then, I have been writing about that side of it for eight years. I strongly reccomend (tongue in cheek) my "Islands in the Clickstream" columns at www.thiemeworks.com which will be published in July by Syngress as a collection. There is a section on business ... :- ) seriously, this was a component of my dinner speech last week for IANS in Washington, how our weaknesses in one context (communicaitons and business acumen) can become strengths when added to our core strengths (IT and security, for example) ... but you have to identify what you intend to do, then set up an intentional program for getting the support you need to provide practice, genuine expertise, and accountability to your intentions ... if you want the exercise I have long found useful (25 years!) for identifying that intention and mobilizing your resources on behalf of it, let me know and I'll email it. Richard Thieme _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Information Security Principles gf gf (Mar 11)
- Re: Information Security Principles jeremy (Mar 11)
- RE: Information Security Principles Mike Bailey (Mar 11)
- Re: Information Security Principles Richard Thieme (Mar 11)
- Re: Information Security Principles jeremy (Mar 11)