Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Friday, 29 September, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Where is the evangelist among us?

by The Gurus
December 5, 2013
in Opinions & Analysis
Share on FacebookShare on Twitter

In a recent article, I detailed how businesses should consider a “security evangelist” to enable the IT team to have someone on company floors “preaching” about IT security and gathering feedback on what does not work.
 
Peter Wood, CEO of First Base Technologies, who first planted the seed with me about this, said that he was keen to create a talking point about this point and during the a week after I posted this story, I have spoken to a number of key people in the industry on this to see if this is something that is being done, could be done or was totally wrong.
 
CISO Amar Singh, a person who was firmly at the front of my mind while writing the original article, said that agreed that the article accurately described him and more importantly his approach. “People skills, marketing skills and importantly – the ability to say more by saying less or put another way – staying away from a technical description and using a common vocabulary instead,” he said.
 
“Importantly, as you point out – stay away from IT completely and to that extent the business must help the CISO or equivalent to move out of the IT pigeon hole.”
 
One person who acts as the security evangelist at Dell is Ramsés Gallego, who also acts as international vice president of the board of directors at ISACA, sad that the point of this role is to focus on skills, not to monitor activity, and work as a trusted advisor.
 
He said: “What does an evangelist do? They preach! They evangelise about something and build trust whether it is in a security environment or in the governance space. They bring perspective into the business and note the impact of the security space.
 
“This is what I do and I work internally to reach out and to build trust and people come to you for advice as you can see beyond different angle on a topic. It means a company can put IT first, and how I see a trusted advisor is being an evangelist on people, process and technology to understand the culture, structure and strategy.”
 
So to preach and build trust and work in the way that a religious evangelist would ensure that their audience not only understands what they are saying, but believes that what they say is the truth and the way. I asked Brian Honan, CEO of BH Consulting, on how he saw this concept and he said that he had always been a firm believer in this type of role, but said he would shy away from the term “security evangelist”.
 
He said that this role should be one of the core skills of an effective CISO senior and line management in many businesses do not understand information security and therefore may ignore it or not treat it with the priority they should.
 
“On the other hand many security professionals come from a technical background and see information security as a technical issue that can be solved by technology. Both views are unsustainable and businesses and security professionals who do not embrace the new business environment and threat landscapes will be more susceptible to a security breach,” he said.
 
“It still surprises, and disappoints, me when I ask information security professionals how well do they understand the business needs of their organisation and they answer they don’t understand or care about the business side of things. Many have not taken the simple steps such as reading the organisation’s annual report or making themselves aware of the organisation’s business plan. If you do not
understand how your organisation works, the business challenges it faces or major changes that may be happening in the coming years then how can you properly plan an effective information security strategy to protect the organisation.”
 
Symantec security strategist Sian John said that she saw this less as a single person evangelising security, and more as a “security stakeholder”, having people in certain departments who are identified as having an interest in security, and who can help people work.
 
“The connection is what you make of it, you can find people with an interest as a side or who have done things and you can offer reward to those who get involved and make it bi-directional, rather than one directional,” she said.
“This depends on the maturity of the organisation, its scale of security and its attitude to open security, you can find the point where you are comfortable with what level of policy you need and what you are trying to track.”
 
Honan agreed, saying that by engaging with peers, line managers and senior executives you can better project information security in a positive manner. “By understanding the business challenges of various departments, e.g. the sales team needing remote access to corporate data, you can work with them to identify secure solutions. If the relationship is built well enough you may even be able to share resources and budget to implement those solutions thus making more effective use of your budget,” he said.
 
“Regularly reporting to management on the progress of information security initiatives and statistics on how well, or indeed how ineffective, your security program is running can also place information security in a positive light.
 
“Information security needs to be continuously embedded in the minds of everyone in the business, an effective information security manager should be helping the business identify risks, how to address those risks, and indeed how to successfully profit from taking business risks.”
 
Gallego said that what he does at Dell combines both internal communication, but it is mostly external with users of its connected security strategy, that has to be evangelised. “My role is paid for by Dell and I am meeting with senior executives, risk managers and legal officers. You have the knowledge or not and it has to be a full time job,” he said.
 
As Wood said, this is less about a right or wrong answer to a way of working, and more about stimulating a conversation on awareness for the business and ensuring IT are in-tune with their business and staff. As Honan said, this should be something embedded within the business and will be enabled by a business in-tune with IT also. Will it ever happen? We’ll wait and see.

FacebookTweetLinkedIn
Tags: AwarenessEducation
ShareTweet
Previous Post

Botnet contained two million credentials for major applications

Next Post

Appriver talk about SME security

Recent News

Guide to ransomware and how to detect it

Guide to ransomware and how to detect it

September 28, 2023
software security

Research reveals 80% of applications developed in EMEA contain security flaws

September 27, 2023
Cyber insurance

Half of organisations with cyber insurance implemented additional security measures to qualify for the policy or reduce its cost

September 27, 2023
Fraud and online banking

Akamai Research Finds the Number of Cyberattacks on European Financial Services More Than Doubled in 2023

September 27, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information