It’s true. They bought the booze. I drank the booze. I now blog about the booze. It was cheap and tasted awful. I’m also not drunk, for the record.
On to more interesting stuff!

I’ll be updating the “Day 1″ post later from my notes.

The thing I love the most about the annual pilgrimage of InfoSec professionals is watching them. It’s true. I’m a people watcher like you wouldn’t believe. Also, because it makes me laugh, I love the word “pilgrimage” because it always makes me think of its German version, die Pilgerfahrt. When said with a haughty gutteral belch, die Pilgerfahrt may be one of the funniest of the many funny German things. But back to InfoSec professionals: I’ve observed (previously, and moreso now) that there are three types of ISO’s (Information Security Officers).

• Iso – Note the capital ‘Information’. The Iso is generally non-technical. Generally a librarian or CIO in another life (or a dean, believe it or not). They affect InfoSec by top-down policy. They think up neat policies, and get El Presidente to sign them, and bingo! You’ve got InfoSec.
• isO – Note the capital ‘Officer’. The isO is generally ex-law-enforcement or ex-military. They believe that their job is to impact InfoSec through fear, overt monitoring of information, and treating even the smallest of infractions like you just turned over National Security data to the Iranians. Kind of like when you get pulled over for going 5MPH over the speed limit, but the officer lets you know how he just saved your life- and the lives of everyone else on the road- by intervening. Yes, the isO may have some policy, but it’ll be draconian and without regard to the environment. Make people afraid, and bingo! You’ve got InfoSec.
• iSo – Note the capital ‘Security’. The iSo is generally from a technical background: Senior programmer, systems guru, network admin, etc. These people understand the need for policy, and the need for enforcement, but weigh that with environment they’re in. Why make everyone afraid of you, when you can ask nicely and get at least the same results? The iSo is generally in a bottom-up, grass-roots security environment, where there is already strong leadership in IT, but there needs to be a focus on Security. They know that you will never “bingo! You’ve got InfoSec.” There will never be a “Mission Accomplished”. You will do the best you can with the resources you have, and the cards will fall where they will.

I know I’ve already blogged about my opinions of my job, but it’s important to me. Not because it’s my job, but because it’s my Tao. I feel very passionately that the pure-policy or the pure-thuggary approaches are missing a very important piece. We have to secure our information, and we need planning and policy to do it, and probably some overt ramifications of negligence and misconduct, but how we get there is the important part! The journey is the reward! Speaking of Toa, one of my highest of Tao is a Hindu proverb:

Vision without Action is Imagination.
Action witout Vision is Chaos.
Vision with Action is Transformation.

This is actually relevant. The first is the Iso approact, the second is the isO approach, and the third is the iSo approach! Yes, I just related InfoSec management to Hinduism. I should get a degree for that… Or write another book that my institution won’t consider worth noting.

To be fair, some environments may need the different types. In large organizations, probably with poor or overwhelmed IT leadership, the Iso can mandate this or that and it will just magically happen. Kind of like trickle-down Reaganomics may have magically helped the poor. In organizations with IT staff who “don’t wanna”, and employees who have no vested interest in securing their information, the Marines… er isO need to be called in to. This could be.

It’s early in Denver still. Time to stop being productive.

2 Comments

Other Links to this Post

1. M@Blog - Security Conference Day 1 — April 12, 2007 @ 11:59 am

2. I Sleep On Planes @ M@Blog — May 4, 2008 @ 9:15 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment