AISA Seminar Day Wrap Up
I thought I’d post a few notes I took @ ASIA’s seminar day. A point that all speakers made was that Security is a business function/enabler, it is not part of IT. They nearly all mentioned that Metrics are the way of growing the Security space by reporting back to the business.
The Keynote speaker was Senator Helen Coonan (Minister for Communications, IT and Arts). Her address to AISA was based around what the government was doing to raise the profile of ICT and Information Security throughout the country. She was also very keen to find out what issues the population is currently facing. She’s re-activated TISN; Trusted Information Sharing Network. The Trusted Information Sharing Network (TISN) is a forum in which the owners and operators of critical infrastructure work together by sharing information on security issues which affect critical infrastructure. It is made up of a number of Infrastructure Assurance Advisory Groups (IAAGs) for different business sectors, and overseen by the Critical Infrastructure Advisory Council (CIAC). The Senator seemed to understand the greater concepts of Security. Should be an interesting few years watching this play out.
Ahmed was the next speaker from ING Australia. His talk on “Process for Reporting and Escalating Risks to Executives” hit home a Risk Management Model(AS4360). His key points were transparent reporting and escalation to enable business. He also recommended a ‘top 5 issues’ to be presented to CXO’s/Board, instead of trying to track every possible issue. There was nothing overly new in his talk, but he gave great insight at how a “working model” actually functions. This was of great benefit to me. Metrics of the Risk Management Model is what allows ING’s businesses to get a sense of what is going, and how they are tracking.
Mark’s talk was on user education awareness campaigns, and boy, was his talk refreshing. His personality meshed with the message he was sending, and the methods he was communicating. The background to his campaigns lies in the marketing and psychology space. It was great to see these skills being leveraged and explained to Security staff to raise their own profiles and get some presence within the organization. On of the tools he uses is a prize-based incentive to get his users to read security messages. Security communication across all channels was the loudest message I learnt from him(IE print/e-mail/intranet/toilet door!). He also explained that this should come from the business(to align with their greater focus/goals), and tie it back to metrics again, showing compliance, cost savings brand reputation etc etc. He also went through the benefits of having an infosec brand that was known company wide; the reinforcement of a standardized message and continued thought process each time a message is ‘dispatched’.
Peter was the next speaker on Governance. His topic was about aligning IT/projects/roll outs to business strategy and focus. He’s a member a multitude of committees, including ITGI, which has case studies on the framework he was talking about - Val IT. Val IT provides the means to measure monitor and optimize the realization of business value from investment in IT. It complements COBIT from a business and financial perspective and will help all those with an interest in value delivery from IT. This initial series consists of three volumes, available for free download. He also brought up the concept of a Results Chain to the floor, a very interesting concept to me.
The last speaker of the day Roger Clarke spent most of his time on privacy issues, on biometrics and smartcards. His talk was meant to be on The Costs of ‘National Security’ to Privacy, and to Business, but I was more then happy to hear his thoughts on Privacy, considering he’s an expert on the subject. He covered so many ideas and topics, that I can not even summaries it. His talk was the most academic, but also one of the most enjoyable due to the direct nation wide impact to every Australian, and his ability to relate that back to the current situation (and he could even show that was a re-hash). His paper can be found here.
I was very impressed with the caliber of speakers, the venue, the topics cover and the presentations themselves. I considered myself very lucky to be able to attend the day, I learnt a lot and had many other messages reinforced. Sign up to AISA!