…there was a goal of teaching people how to communicate, interact, and learn from each other. When I wound up in InfoSec and IT Risk Management, my goal evolved into communicating to InfoSec professionals – IT Security Managers, CSO’s, Network Security Managers (bleach! I hate that term) – that there are good ways and bad ways to approach, communicate and manage information security. My “Great Crystallization” in InfoSec came at a round table with nominees for the Information Security Executives of the Year held in Orange County, California in 2008. The question (loosely recalled) was asked, “why are executives not giving information security the attention it needs?”
Somehow the previous conversations that afternoon led me to recall a small ignored fact from a highly publicized incident. Only a year or two before the infamous TJX credit card breach had occurred. Everyone in the InfoSec space rallied around this news as the battle cry for greater security, and “see what can happen!”. We all watched the costs escalate, and watched analysts speculate the costs had risen over $150 million USD (and eventually to over $200 million USD). In all of this saber rattling, we failed to watch an important metric that for some reason seems to matter to some important people (executives, board of directors). One year after the break in, despite our usual predictions that a break-in of any magnitude can ruin a company, TJX’s stock price was higher than immediately preceding the disclosure of the incident (1), and that its sales numbers were up. Hmmmm.
My mouth opened, I related this story to my peers, and there was an awkward silence. (This still happens today.) I then pulled out my soap-box and started my suddenly discovered passion for anti-FUD, business collaboration, and the effective ways to make InfoSec and IT Risk Management relevant to executives. My soap-box is still out, and I’m still standing on it. Just now my soap-box has a keyboard attached to it. I just hope some InfoSec professionals see the benefit of visiting me in the middle of the village square every so often.
So this blog is really about how I’ve seen companies successfully convince business owners, executives, managers, and even the employees that information security is relevant. I’ll post on a monthly basis some of my formal research, relevant stories I have, and some musings that may come in handy. And don’t worry customers, I won’t reveal any secrets, but I can’t help if the situations might resemble a conversation we’ve had.