Comments on: Where do they find the time? http://thurston.halfcat.org/blog/2008/04/30/where-do-they-find-the-time/ We are the people your IT department warned you about Fri, 21 Nov 2008 18:48:33 +0000 http://wordpress.org/?v=2.0.5 by: Iang http://thurston.halfcat.org/blog/2008/04/30/where-do-they-find-the-time/#comment-232421 Fri, 02 May 2008 12:15:47 +0000 http://thurston.halfcat.org/blog/2008/04/30/where-do-they-find-the-time/#comment-232421 It's you're job, you're going to do it :) By which I mean that the people responsible for doing the whole job will also have to do the security, there isn't another way that works, today. There are several reasons for this. One is that the InfoSec industry has failed to deliver value. Why? One reason is that the InfoSec people know only classical or theoretical infosec and that is too much theory. They have failed to deliver that into the context of the enterprise, in such a way that it adds value not subtracts value. Which also points to a failure to communicate or share their knowledge. It is possible for them to learn. Gunnar says that InfoSec people can learn to talk to developers, and if they don't, they fail to add value. On my blog I opined that all CSOs should have MBAs, so as to talk to business people, which made me about as popular as a mouse at a party of cats. I reckon it is possible for security people to reach across to reach across to their client base, I just don't see it as likely or a believable future. And if not them, who else? InfoSec as a specialisation is dying as we watch; which leaves you, the canonical generalist inside the IT department. IMHO :) It’s you’re job, you’re going to do it :) By which I mean that the people responsible for doing the whole job will also have to do the security, there isn’t another way that works, today.

There are several reasons for this. One is that the InfoSec industry has failed to deliver value. Why? One reason is that the InfoSec people know only classical or theoretical infosec and that is too much theory. They have failed to deliver that into the context of the enterprise, in such a way that it adds value not subtracts value. Which also points to a failure to communicate or share their knowledge.

It is possible for them to learn. Gunnar says that InfoSec people can learn to talk to developers, and if they don’t, they fail to add value. On my blog I opined that all CSOs should have MBAs, so as to talk to business people, which made me about as popular as a mouse at a party of cats.

I reckon it is possible for security people to reach across to reach across to their client base, I just don’t see it as likely or a believable future. And if not them, who else? InfoSec as a specialisation is dying as we watch; which leaves you, the canonical generalist inside the IT department. IMHO :)

]]>