HINT: You're probably NOT the fairest of them all (and
neither am I).
The dreaded (by some) topic of information security roles
and responsibilities.
When people don't know their role, or they’re not held
accountable for it, what happens? Too often, nothing happens. Information
security falters, breaches happen, people suffer, and everybody is left
pointing fingers at everybody else.
The facts:
- NOBODY is more responsible for your information security than you are.
- NOBODY should give a shit about your excuses.
- SOMEBODY suffers when you don't understand (or define) your role and play it as well as you can.
- A CISO can only do what he/she is EMPOWERED to do. Does burying them within IT, empower them?
So much shit to talk about in this episode, and there's sure
to be some sparks flying (and maybe a disagreement or two).
Questions we'll cover (and more):
- Who the hell is responsible? You? Me? Them?
- At your organization, who's ultimately responsible for information security?
- At home, who's ultimately responsible for information security?
- Who's to blame when shit goes wrong?
- Where's accountability in all this?
- Worried about the Russians, the Iranians, the hackers taking all your shit? Whose problem is that and what are you going to do?
- You've got the CISO job! Yay! Are you empowered to do your shit? Why/why not?
So many angles to take on this and lots to discuss! Join us
tonight (7/2) @ 10PM CDT to get the Shit Show Crew's take!
GREAT Episode! A lot to unpack and a few tough conversations in my future discussing some of this with my leadership.
ReplyDeleteI'd be curious to hear your opinions on a 2 followup items from in this show -
In your opinions - where is the line between "Real world imperfect organization with issues" and "Shitty management, GTFO"?
What are some ways to determine if you're failing as an information professional at communicating risk effectively, or if you're dealing with leadership just doesn't want to hear it?