Engage the world

Personal strategies for information security leaders to better engage with the business.

So said Alex Stamos in his call to action keynote at Black Hat 2017.  I thought it was a brilliant presentation, challenging the industry to change.  In this post, three months later, I am going to highlight some of the things I have been doing to follow up.

Mr. Stamos argued that the security profession does not engage the world effectively.  Instead of so much emphasis on “bug” detection and hacking, he encouraged security professionals to focus more on defense.  Not instead of hacking, but in addition. What needs improvement in defense? He emphasized more empathy with users, engagement with builders and more foresight into security problems.  In my mind, this means more connection with the business. He didn’t say we should all go out and get MBA’s.

“We don’t engage the world effectively”


If you are like me, you have plenty of trouble just keeping up with the security field.  I have become a security podcast junkie to help with this. There are so many good podcasts, but are there now too many?  I’m not sure if I can listen to another discussion about Equifax again.  So, I have decided to cut down from six to one or two, and replace the others with more business focused podcasts.  I’m trying content such as the a16z podcast, which covers new technology as seen by VC investors and the “Masters in Business” podcast by Barry Ritholtz.  A great new read on tech trends is WTF from Tim O’Reilly.  In “A Seat at the Table” Mark Schwartz writes about how tech leadership can engage with the business in our Agile/DevOps world.  Unfortunately, to provide security foresight, we are going to have to keep up broadly with these trends.  As Bill Murray has said “that’s why we get paid the big bucks.”


How about security conferences?  Are there now too many, with not much new, actionable content?  I recently went to two such events in the Washington, DC area.  Now I see another DC security conference taking place next week.  Or in Nashville.  We had our annual sold out InfoSec conference last month.  I see another infosec conference invading later this month.  Mr. Stamos was talking about engaging others outside of the security community.  I decided to go to DevOps Days in Nashville next week.  Interesting that there’s nothing about security on their agenda.  I am going to try to engage with developers and better learn their language.

Professional organizations

How about professional organizations?  To engage those outside of the security community, I have looked beyond ISSA and ISACA (both great organizations) to groups like SIM (Society for Information Management).  SIM is a business oriented IT leadership organization of over 4500 members.  There is probably a chapter near you.  Coincidently, SIM has just started a Cybersecurity Special Interest Group.  Or, beyond this group consider Kiwanis or Rotary.  These groups offer opportunities to give back to the community and engage with business leaders.

To protect our organizations, we are going to have to engage with a more diverse group.  The opportunity is there.  According to the recent KPMG 2017 survey of CEO’s, “76% see investment in cybersecurity as an opportunity to find new revenue streams and innovate, rather than as an overhead cost”.  32% said they were planning to significantly invest in security over the next three years.  These are amazing results.  The most effective security initiatives I have seen were highly engaged with and contributing to business outcomes.  The survey results say that executive leadership is open to this type of strategy.  Don’t see security as just patching, finding bugs or even as just risk analysis.  It is an opportunity to engage with and drive business outcomes.  Look for those opportunities.

Copyright © 2017 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.