Once again, the Middle Tennessee chapter of the Information Systems Security Association (ISSA) and the Nashville Technology Council put on a phenomenal event. The two organizations took over the Nashville Convention Center,  hosting over 430 attendees and 28 sponsors. With over two dozen local, national and internationally recognized speakers, the breakout and keynote sessions were nearly as interesting and entertaining as the hallway conversations.

With a focus on not just technical, but also management issues, the topics spanned industry and organizational strata across the security landscape. Because of the unique blend of attendees and sponsors, this was the ideal venue to begin a discussion about how to manage security responsibility across both the hosted or cloud environment and the traditional data center.

The genesis of this discussion began during the background research phase as we prepared for the (ISC)2 Web Roundtable, “Split Responsibility in Cloud Services“,  I moderated on June 24th, 2010. As with many of the events we are involved in, we found the audience questions outstripped our time allotted, so some questions remained unanswered. In chasing down many of the answers, I uncovered yet more questions. The Infosec10 conference was a fantastic opportunity to present our current findings for feedback and gather additional insights from the attendees. I’m looking forward to hearing more from them over the coming days.

I’ll be releasing our view on managing security responsibility across the fractured enterprise later this week, after I have some follow-up conversations with the fine folks I met in Nashville. Stay tuned.

The problem being faced is really not so different from the age old advertising problem of reaching the right audience with the right message, at the right time. Having developed security awareness programs based upon advertising and marketing models in the past, I suggest the following:

Continue Reading