- Everything I Need to Know About Leadership I Learned as a Patrol Leader on the TaoSecurity blog.
- Forget ROI and Risk. Consider Competitive Advantage also on the TaoSecurity blog.
Let me add a number 4: "Boss-centric approach" (whether your boss is CIO, CEO or CSO...)
Security person: Hello boss. We need to implement our security program because it fits perfectly in your strategic points 1, 2 and 3 and helps you show just how well you deliver
- Antons Chuvakin's My Best PCI DSS Presentation EVER! on the Security Warrior blog, contains good pieces to address communication with non-security people.
- Survey about ITsec maturity criteria: What should be audited in order to evaluate an ITsec maturity level? Page 26 to 28 in this [FR] PDF, on the site Les Assises de la Sécurité et des Systèmes d'Information.
- Joking as a way to get people closer to security: The BOFH-like excuses.
I'm getting more and more convinced that the leadership style of Bruce Schneier is what made him so popular. There is more of personality than leadership in his case. In fact, my way to answer about "the mixture of security and feelings" is very close to his. Two examples:
A few quotes heard at the 4th International Forum on Cybercriminality :
- "Nowadays you learn more about someone from Facebook than from Edvige." (Edvige is a nominative information file used by the French police.)
- "The problem is not adapting to the digital world, it's adapting to the border-less world."
- "In healthcare, IT security is a deontological requirement."
- "Estonia is ahead of us [ahead of France regarding ITsec]."
Oh, by the way, I finally got a hint on why do they all emphasize on "Information Security" rather than "IT Security": I think it's because they want people to understand that it's not an IT-only problematic.