Security Planning, Policy, Leadership, and the Inevitable Unexpected

Security is a steady, continuous improvement journey, until the inevitable unexpected shock to the system—a major attack or breach that forces you to accelerate the pace. As IT folks we naturally gravitate toward technology-centric information security solutions, and we are good at implementing them. Quite often these highly important but low-profile efforts garner little attention or gratitude from the broader institutional community. Let’s face it, our colleagues simply trust us to do a good job and they generally don’t understand what we’re doing when it comes to information security. We may find this lack of interference a blessing, but when a major security event occurs, they suddenly pay attention. These “technology appreciation events” are never pleasant for IT. If we want to make these events less painful we need to find ways to evocatively engage our institutional community in the information security dialogue. This session is designed to address how we can involve the rest of the institution in information security decisions, discussions, and processes in a manner that is meaningful to them. The session will discuss an IT vision that strengthens information security and how that vision embraces security policy growth, risk management, security project discipline, alternative leadership models, institutional engagement in the decision-making process, and creating the perspective of information security as an opportunity.