Just two months into 2015, and there is already a theme in information security: let's talk. Let's talk within the organization, within the industry, with the government, with everyone else.
It's not a new concept. The hallmark of a good security professional is one who can communicate effectively with end users, business stakeholders, and the board of directors. Information security professionals have to be able to talk about risk when discussing security. IT security come up with ways to make security concepts something end users can follow and understand. And for the past few years, every discussion about cyber-attacks and enterprise defense inevitably includes the necessity of industry-wide information sharing.
But over the past few weeks, there seems to be an increased sense of urgency. Much like 2014, we started 2015 talking about big data breaches, zero-day malware in the wild, and serious security issues in our computer systems, networks, and overall infrastructure. Governments around the world are talking about encryption in the context of law enforcement and investigations. Privacy advocates and security activists are looking at how we can communicate online in a trusted and secure manner. And there is a sense that we need to start making some changes in how we operate.
For the past few weeks, we had a few security professionals weigh in on how we need to communicate. Dale “Woody” Wooden talked about how what employees post on social networking networks can be manipulated by attackers to craft targeted attacks. J.J. Thompson of Rook Security addressed the challenges CISOs face when talking with the board. We will continue these conversations this month.
For those information security professionals who tuned into the State of the Union last month, cyber-security was a “blink and you will miss it” moment. But the fact that security of data and networks even came up on the national stage was notable. The most important takeaway from that moment, however, is the fact that security industry needs to engage with the government.
Todd Inskeep has been digging into the president's comments and talking about how the information security community needs to become involved. “Against the backdrop of probably the most attacks in history, ongoing revelations about cyber-attack capabilities, potential surveillance overreach, an ongoing cyber attack against Sony, and continuing revelations of breaches in retailer after retailer, the direction and details of proposed legislation matters,” he writes. Don't forget to tune into his series this month.
“The direction is good, we need legislation, action and details to make sure the state of Information Security advances and improves. The wrong details could derail US leadership in Information Security and the concomitant jobs, companies, and infrastructure,” Inskeep writes.
If we don't like what is happening in infosec, it's time to engage and change the conversation, one at a time. Let's get started.