What’s the talk about? It’s about how Security is a different entity inside of any business, assuming Security’s role persists in-house and not out-sourced. Security Professionals cross all the silos that a traditional IT organization creates and isolates themselves with (DBAs, AppDev, Linux SysAdmins, Windows SysAdmins, Network, etc.). Security Professionals see and interact with parts of the business that IT typically doesn’t (HR, Legal, Finance, R&D, etc.). This provides Security with a unique perspective.
Security must leverage their unique position to make a positive and memorable impact with IT and the business. Spreading Fear, Uncertainty & Doubt (FUD) isn’t the way. Conveying the message that the sky is falling isn’t the way. Constantly saying “no” isn’t the way.
What is the way? Talk with IT & the Business. But don’t talk with them about what you want, which is Security. Talk with them about what they want. Ask them about their fears and concerns and problems and what they wish they could do but don’t know how to do.
I wanted to come up with an approach that wouldn’t need approval or bureaucracy or some management intervention. I wanted something anyone could do at zero cost at any time with little to no gear needed.
And thus: Interview them. See the slide deck for how to go about this.
If you can solve a problem of IT &| the Business, one that leverages Security’s unique view inside of the organization, then they will want to engage with Security in the future. If done properly they will seek you out, accept when you engage, and consider you a trusted advisor.
It also has the benefit of action. That is much preferred versus waiting for someone to realize that security is important.
Several people have asked where to get my slide deck for the talk. You can get it from Dropbox here.