At times, there are topics in information security discussions that get a lot of attention, fall out of interest, only to be resurrected again and reemerge as a hot topic. I call these “Information Security Zombie Memes”; they are the walking dead of discussion and rhetoric that we can’t seem to destroy. Return on investment, security and obscurity, full/partial/responsible disclosure, how to measure security, and such topics are good examples of those subjects that boomerang back around into our collective consciousness again and again. One that has been in my mind lately as I think about the convergence of risk management and management science, is the “security, art or science” meme. (more…)

One of the fun things about being in Information Security is the amount of change our profession goes through. In a sense, we might pity the accountant, the sales person, or others whose role in the corporation has been well defined for many years. Our role is centered on understanding the use (and therefore protection of) information, and as such our job is as dynamic as that which we seek to protect. Now if I haven’t mistaken this role, how the CISO approaches her job is about to fundamentally change (again).

(more…)