Social Network For Security Executives: Help Make Right Cyber Security Decisions
At a recent industry event discussing security, a question was rasised as to who needs to take ownership of security issues, the comment was made that it needs to be "someone senior enough to care, but junior enough to know what they are talking about"
This summarises a major issue in the cyber security industry. Security is a deeply complex issue, balancing threat, risk, business objectives, technology, process and people.
Senior business people tend to know about business objectives, and how to offset / manage business risks. When it comes to security risk, they are not experts, so need to rely on and trust information provided by the security experts. Sadly when these two people meet they talk a completely different language, creating confusion rather than understanding of the issues. The outcome often leads to the senior person overlooking the risk or dealing with it in an inappropriate or non-optimal way.
(Read more: Announcing CISO Handbook: Call to Authors )
The good news is the industry is starting to see a set of CISOs that first and foremost understand the business. I cite two examples:
In both cases they then define their role as assessing the security risks to that business process (SCADA attacks for example), then put risk mitigation strategies in place to make sure the business process does not fail.
How do you summarise your CISO role. Can you do it in 140 ‘twitter’ characters?
(Re-edit of an article originally on http://colinrobbins.me)