To Evangelize Security, Get Out Of Your Comfort Zone

If security professionals want to change corporate attitudes and culture, they need to step out of the echo chamber

I'm not a security professional -- I can't configure a firewall or hack my way out of a paper bag -- but I've been lucky enough to live and work in the info security community for almost a decade now. For me, last week's RSA Conference in San Francisco was old home week; nearly everywhere I walked, I saw someone I knew. And I was able to participate in nearly every conversation, because the topics were well-known and familiar.

This week, I'm in Nevada for Interop Las Vegas 2015, a conference that offers a much wider range of topics to a much broader IT audience. The faces are not as familiar here, and the conversations even less so, but I can't help feeling that information security's key messages are just as important here -- perhaps even more -- as they were in San Francisco last week.

IT security, I've learned, is a tight-knit community of people who "get it" -- that ethical security research is an essential part of the industry, that signatures are no longer enough, that a certain amount of risk is inherent in any enterprise security plan. Certain themes are accepted as truth, certain cost/benefit ratios are accepted as conventional wisdom. We argue over strategies, but we agree on most of the basic principles. When you're at a security conference, it's sort of like living in your home town.

When we move outside of our own circles, however, we members of the security community often find ourselves on unfamiliar ground. Here at Interop, for example, an audience of CIOs and data center professionals consider security an important plank in the IT platform -- but not the only consideration. Issues of business, bandwidth, performance, and storage play just as important a role as security -- and priorities may differ according to the situation. Security messages and practices must be taken in the context of a broader pallette of IT disciplines.

It is with this broader context in mind that Dark Reading helped to develop this year's Interop InfoSec and Risk Management Track, a group of educational sessions and workshops designed to help general IT professionals, as well as security professionals, lay the groundwork for key security decisions. While last week's RSA Conference provided direction primarily for the security pro, Interop is putting IT and security people into the same room -- so that they can learn and discuss common security topics in context of a bigger IT strategy, from their own unique perspectives. Think of a U.S. delegation hammering out its own foreign policy, and then applying it to the broader context of a meeting of the United Nations. That's the shift we make when we move from RSA Conference to Interop.

When security issues move out of the echo chamber and into the broader arena of general IT and business, they take on a different perspective and context. At Interop, we're speaking less about specific attacks and breaches and more about risk. We're talking less about individual products and technologies and more about costs and benefits. We're talking less about security operations and analytics and more about IT operations and end user enablement. The same issues are important, but the context changes because security is part of a bigger picture.

Move the circle further out, into the disciplines of business and organizational communication, and security becomes an even smaller piece of the puzzle -- not less important, but part of a longer list of priorities and challenges that are faced by the organization. From this perspective, security's most crucial aspects are still obvious, but the details are less visible.

As members of the security community, it's good for us to get away from our "home town" frequently, so that we can see our industry as it's seen from the outside -- the broader IT industry or the broader business arena. By stepping away from the picture, we get a better perspective, and we see it from the point of view of others who aren't so close to it. And that perspective may help us frame our conversations so that we're prioritizing what's important, and spending less time in the weeds.

If we want security issues to be recognized by the world, we'll have to step out of our community -- and our comfort zone -- and bring our most important messages to more general IT and business audiences. A home town is a great place to live, but it only reaches so far.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Recommended Reading: