Future Security Leaders at the RSA Conference

Back in November, I mentioned my concern about the lack of educational opportunities for future security leaders, and I am thrilled to report that we have started to change that this year at the RSA Conference.  Anyone who has been to the RSA Conference before knows that it officially kicks off on Tuesday each year, but the number of pre-conference options has been growing each year.  This year they added a new session in the Professional Development track, Building and Managing a Successful Information Security Program, which was very highly attended (450 attendees, not bad for 8:30am).  As a speaker (and organizer for the morning series), I was surprised by the attendance, which validated the premise for the sessions: there are no formal educational forums for aspiring security leaders.  Basically when you get the position of leading a security program for the first time, you have to figure it out as you go.  Wouldn’t it be nice to learn from the mistakes that have already been made by past leaders?

I thought that I would share a few points that I found most interesting from the sessions.  When someone joins an organization as a CISO or CSO, the tendency is to jump right in and start fixing things, but the reality is that it is far more important to spend the first six months on the job listening and profiling the organization.  Sure you could make a list of the critical holes in the organization’s security program and start forcing change, but that is going to set the wrong tone for your program.  Instead, the advice from CISO’s is to get as much information about how the business functions and what their priorities are, before you try to change anything.  Observe and document to start.

Another important topic was how to promote (or evangelize) the security program, and ultimately affect the culture of the organization.  Of course this is going to require support from the top executives, but this approach needs to be combined with context from the bottom up.  All too often the most senior management will agree to security initiatives, but that gets communicated down the chain to execution with no context.  Without context, the folks on the ground are bound to go through the motions even if the activity provides no security benefit.  It is important to make sure that the engineers and administrators understand why they are performing a task, so that they are empowered to identify when something is wrong.  Otherwise they will diligently perform a task everyday, with no hope of achieving its original purpose.  So as a security leader, you need to focus on both approaches to security education and awareness.

I received a lot of feedback after the session about how organizations are trying or have tried to decentralize some of the operational roles of the security team into other business functions.  For example, firewall administration and maintenance doesn’t need to be directly managed by the security team.  A network administration team can perform this function with oversight from the security team.  However, someone pointed out that it isn’t as easy as just moving the responsibility to another group.  There needs to be a transition plan, complete with training and oversight.  This also needs to be a formal part of their objectives, not a best effort responsibility.  Many organizations have found it beneficial to even give up headcount to other groups to support them bringing security professionals onboard.  One of the side benefits of this approach is that a security engineer who is embedded in an operational group often isn’t perceived as the bad guy like the security sometimes can be.  They are often seen as part of that team, which promotes trust and cooperation.  This can really start help  expand the reach of the security team with no additional cost.

Overall, I think that this opportunity for attendees to hear straight from leading CISO’s what is important in their role, is an invaluable dialogue that needs to continue if we have any hope of preparing our future information security leaders for the demands of the job.

I have posted a copy of my presentation, Organizational Structure, What Works (PDF), with speaker notes on my website.

One Response to “Future Security Leaders at the RSA Conference”

  1. [...] This post was mentioned on Twitter by Fore River Solutions, Win Security. Win Security said: Future ##Security_Leaders at the #RSA_Conference: [ossie-group.org] Back in November, I mentioned my concern about… http://winsec.tk/Gv2Tp [...]

Leave a Reply

You must be logged in to post a comment.