Re: Information Security Principles

[Richard Thieme <rthieme () thiemeworks com>]

At 11:18 PM 3/10/2004 -0800, gf gf wrote:
> I recently had the opportunity to meet with the head
> of IT Security for a large government agency. 
> Although he didn't seem to be an expert on the
> technical details (no surprise there), I must admit
> that it was enlightening to see how he viewed things:
> talking about the goals of security (availability,
> authenticity, and confidentiality), risk assessment
> and management (see
> http://www.microsoft.com/technet/itsolutions/msit/security/mssecbp.mspx
> for a good use of this), security policies, and
> methodologies.
>
> I realize now that my training and experience have
> been mainly in the low level, applied end - what most
> of us would consider the meat - protocols, app
> security, OS internals, etc.  I'd like to expand my
> horizons a bit, and look at things from the other end
> - more general, more abstract - getting the bigger
> picture on information security.  Yes, we tend to
> write these things off as fluff - but there is
> something to be said for them, as well.
>
> What does everyone think about this?

I recently did a keynote for a conference for IT people at Medtronic and the head of IT told them explicitly that it 
used to be adequate to be good at IT to be in IT. Now, however, you have to be equally good at communication and also 
understand the business you're in or addressing and have business acumen ... of course, I never thought that talking to 
other people effectively about what you hope to do for them, understanding their real needs, and contextualizing that 
discussion in light of risk management, costs and liabilities, as well as information assurance was "fluffy," but then, 
I have been writing about that side of it for eight years.

I strongly reccomend (tongue in cheek) my "Islands in the Clickstream" columns at www.thiemeworks.com which will be 
published in July by Syngress as a collection. There is a section on business ...   :- )

seriously, this was a component of my dinner speech last week for IANS in Washington, how our weaknesses in one context 
(communicaitons and business acumen) can become strengths when added to our core strengths (IT and security, for 
example) ... but you have to identify what you intend to do, then set up an intentional program for getting the support 
you need to provide practice, genuine expertise, and accountability to your intentions ... 

if you want the exercise I have long found useful (25 years!) for identifying that intention and mobilizing your 
resources on behalf of it, let me know and I'll email it. 

Richard Thieme 


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave