How knowledgeable is your CIO or CISO about the latest security technologies or even the most basic security concepts?
Writing about her recent experiences speaking at several security conferences, security researcher Joanna Rutkowska, said in her Invisible Things blog recently that she was shocked at the level of understanding many CIOs and CISOs had about basic security concepts.
Rutkowska keynoted at the InfoSecurity conference in Hong Kong. Her central message was that “technology is just as flawed as the so called ‘human factor,’ understood here as a user’s unawareness and administrator’s incompetence.” Rutkowska said that although it was the least technical presentation she’s ever given in her life, it was still perceived as too technical by the audience.
“And I didn’t even mention any specific research I’ve done – just some standard stuff about exploits etc…,” Rutkowska wrote.
In a discussion panel after the keynote, Rutkowska observed that some CIOs and CISOs were naïve to many basic security concepts.
I’m sure some upper level IT pros go to security conferences to gain a higher level of understanding of security technologies. But if you’re going to be a presenter or taking part in a panel discussion, you should probably have a basic level of IT security knowledge. Do CIOs and CISOs have an agenda when they take part in a security conference or are they really there to give attendees insight on ongoing IT projects?