RSA Conference Starting to Acknowledge Security Program Development
Thank you, RSA! It started in 2014 when a Security Strategy track was added to the agenda, one that was defined as a covering security program development issues. This year, it actually is going to the next level, though, as there are actually a couple sessions that talk about security program development. I am going to count this as a huge win…
I love the RSA Conference. Heck, I served on the program committee for 3 years and have given 5 talks at the show over the years. The team that organizes it are passionate about making a difference and work real hard. I was excited when I reviewed the tracks this year, as well as some security program development specific content because I firmly believe there is a relationship between a limited focus on security program development at the show and organizations still really struggling at security.
RSA Conference: Shining a Light on Security Program Development
My specialty is and always has been security program development, even when I was on the program committee through 2013. Back then, this niche discipline was an outlier in terms of finding a conference track. So they always stuck us in either the Professional Development Track, where we talked about the skills needed to be a CISO, or in Governance, Risk & Compliance Track, where we talked about how to certify to a framework like ISO27001 or something like that. Neither of these are security program development, not in 2012 or today. Further, it has not been RSA conference’s fault, they simply organize the tracks based on what people ask for. My hypothesis is people don’t ask because they don’t understand what a true security program is, as well as why they need it.
Security Program Development the Niche art of Building Repeatable Systems
Security program development is the niche art of helping organizations build repeatable systems for managing information security within their organization. Functionally, it helps an organization establish a benchmark for security, implement and perform processes for measuring against that benchmark, the ability to give this information to management. to support the ability to make informed decisions, and the ability to support the implementation of those decisions once made.
I am biased no doubt, but in my travels, most organizations are really struggling with implementing functionally healthy security programs, even when they may be ISO 27001 Compliant, spend a ton on information security or have big teams. I firmly believe that until organizations focus on building healthy security programs, the attacks and mess we are in will continue.
Maybe this is the birth of a much needed dedicated track of security program development at the conference.
If you have any questions around Security Program Development we are here to help.