I just signed up for the Existing Opportunities in the Security Market event being held over at Stanford. The bullet list of topics for the discussion:

  • Are there still untapped opportunities in the information security market?

  • What does the move toward a risk mitigation-based ROI approach mean for security vendors?

  • How do corporate security officers and IT directors assess risk within their own IT environments?

  • What role do IT security products play in overall enterprise risk management?

It sounds like it could be pretty interesting. I did work for a while as the security manager for a pretty large startup down in Passadena, and I learned a hell of a lot in the process. Even among the most competent and insightful of the information technology workers, security is something of a black art. I think a lot of the issues stem from security directly straddling both financial and information technology roles. This is true with just about any technology work, but I see it most pronounced with security. Most people still start their security work at the “how can I secure this system?” question. When in actuality the first security question should be something along the lines of “what is the risk of running this system and how much am I willing to pay to assuage that risk?” I think that’s what most of those bullet points up there are all about. I thank one of the security consultants I worked with down in LA for pointing out to me that the real role of security within an organization isn’t securing systems, it’s managing risk. So Chris, if you end up reading this, thanks for opening my eyes to that so early on.