Explain what you do in less than 50 words:
Protect the company’s intellectual property, physical and electronic information assets through policy, training, awareness, education, controls and audits as appropriate. Enable the company to operate securely in line with its corporate governance, legal and regulatory obligations. Understand threats to the company and respond to security incidents.
What is the biggest information security threat to your industry?
The focus on technology and end point solutions, rather than the people who use them.
What technology or information security solution could you not live without?
I think I could live without most. What I couldn’t live without is speaking to people. All too often in our working environments, SMS, IM and email are used for convenience when a conversation would be much more useful, and could avoid misinterpretation/misunderstandings that can be caused via electronic mediums.
If you were leaving your role, what one piece of advice would you give to your successor?
Trust no-one and look for the worst in everyone, that way you won’t be surprised if/when information security is breached.
What is the information security industry’s biggest shortfall?
The use of fear, uncertainty and doubt as a sales tool for the plethora of point solutions that are on the market. Converting to a business value driver and enabler would engage the industry more.
What is your proudest achievement?
Certification by ISACA for CISM and CRISC, alongside my MBCI. Independent certification of your specialist knowledge in a business context is extremely useful and gratifying.
What is your biggest regret/mistake?
Believing I could operate an information security function from within the IT department of an organization.
In three words, what should the information security industry expect to be facing in 2013?
Erosion of trust.
Name a project, movement, product or legislation / standard that has impressed you in this industry.
Linus, an Australian company, has produced a methodology supported by a tool that allows the business users to define the sensitivity of their information assets. Then IT identifies the existing or proposed controls before evaluating whether the controls applied meet the security needs of the asset. This way of thinking allows my business to define ‘how much security is enough’ and underpin a relevant business case.
Who, in this industry, inspires you?
James Lyne of Sohpos. A deeply analytical and technically minded man who can effortlessly adjust his conversational style and subject matter to suit his audience.
What are we, as an industry, doing right?
The focus on education and awareness is to be welcomed, as inevitably, people can be our weakest link.
If you weren’t an information security professional, what would you be?
A lawyer
What are you hoping to see/hear at Infosecurity Europe 2012?
Practical solutions to business challenges in information security that can be applied to my company.
| Graham McKay will be speaking at Infosecurity Europe 2012 at 11:15 on Wednesday, April 25, in a session titled ‘Security vs. Corporate Comms: Just How Do You Make a Social Media Strategy Work?’ |