So, it finally happened. I was invited to talk at an Information Security Conference and I went and talked.
My talk was about the risks of information leaving the organisation but I decided to add in the risks of information not leaving the organisation.
This may sound counter productive but in these though times your IT department should really be looking at using services such as GMail, your Marketing department should be looking at using Facebook, Twitter, Blogs etc. Your HR department should be looking through LinkedIn for new staff.
If your Security Department is too tough on information leaving the organisation then you are missing out on opportunities. Of course, if you are too lax then information will make its way out and that can't be good for the company either.
Information Classification is key. As is awareness.
My speech was very well received, achieving over 8/10 for the different areas and I have been invited back to speak again.
I must admit that my speech was aimed at business decision makers and not technical people and yet the people who showed up were more technical people. There are very few companies in South Africa (with my employer being a noted exception) that treat Information Security as a business issue and not (only) a technical issue.
I'm not really one to tooth my own horn but I wrote this blog entry to thank a number of people who made my speech possible.
Firstly thank you to the two blogs that I feel are on the forefront of Information-centric Security - Securosis and Rational Survivability. I used some material from both sites and some that was sent to me by Richard Mogull from Securosis.
I used some speaking tips that I got from Presentation Zen so I didn't put everyone to sleep (even though my speech was at the danger time of 3:30pm when everyone is tired and wants to go home) and I used some (free!) graphics from Stock Exchange.
When I was preparing for the speech, I revisited some of my old Blog posts which I think I need to repost as I have some more ideas about them.