Saturday, April 17, 2010

Altering the philosophy of this blog

I have long felt that responsibility in information security was a hard management job.
I have always known, through personal temper, that leadership is an asset in every management position.

Yet it never appeared to me until a few semesters ago how much responsibility in information security was a job that required, most of all, leadership skills. For this reason, I have chosen to more regularly publish articles on this site about the leadership of information security, including good readings about it, even uncommented.

Among the reasons that conspired to enhance my point of view, here are a few:
  • Working as responsible in this field for more than two years now.
  • Realizing that the job is a drop about team management, a bucket about upwards management and an ocean about transversal and stakeholders' management.
  • Realizing that security is a lot about conceptions and misconceptions, and that vendors are better at it than internal managers of any company. And that reacting to this situation takes a lot of communication towards the teams.
  • Having Anton Chuvakin summarize one of my articles by naming my job "expert in security leadership", which made me think a lot.
  • Reading books like "Geekonomics", by David Rice or "The CISO function [FR]", by Bernard Foray.
  • Seeing that everyone is capable of designing a highly sophisticated security framework in his head, but less often implement it.
  • Reading a lot of blog articles from security experts, and writing a few, complaining about people's behaviour and misconceptions and calling for help, for people to change.
In the end, I have decided that the best is to help myself, rather than wait for others to change or wait for "top management" to give full powers. Heaven helps those who help themselves, as is said on both sides of the English Channel.
So now comes the time when I emphasize on leadership.

Comments, praises and amazements welcome.