Alex Hamerstone, ISO 27001, CISSP, is the Advisory Solutions Director at TrustedSec, and has over a decade and a half of information security consulting experience. Alex uses his consulting experience to partner with all sizes of organizations in all verticals, performing assessments, audits, and security program development. Alex has designed security programs for both large and small organizations and has advised and performed security assessments for companies ranging from small businesses to Fortune 100 corporations. Alex’s experience covers a wide swath of industries, including retail, utilities, education, insurance, and healthcare. Additional areas of expertise include program development, process creation, documentation, regulatory compliance, cloud implementation, security awareness, standards adherence, and international information security regulations. He has presented to many Boards of Fortune 500 companies, showcasing his sought-after ability to articulate the importance of information security to the business.
Alex is a constant presence on the national media, with many appearances on CNBC, CNN, Fox News, CBS News, MSNBC, News Nation, Al Jazeera, and multiple local news channels. He is often quoted as an expert in national general interest articles as well as industry publications, including The Wall Street Journal, Reader’s Digest, and The Washington Post.
Be sure to catch Alex’s talk at ShowMeCon!
________________________________________________________________________________________________________________
Why You Don’t Need a Security Team
For many reasons (which I will discuss in my presentation), I have come to the conclusion that many/most
security tasks, functions and roles can and should largely be distributed across the organization with
support from a governance/oversight function. In short, fewer “security people” and more people “doing
security.” My prediction is that in the future, there will be fewer dedicated information security staff
members and a larger quantity of general staff who practice what have traditionally been information
security functions. This requires a fundamental reassessment of how we look at managing security.
This presentation isn’t about general information security awareness training, but rather breaking down the elements and tasks of an information security program and dividing many of those elements and tasks amongst current staff.
For example, fewer application security people and more developers who are trained to write more secure
code. And fewer Network Security Specialists, and more Network Admins that implement security
controls.
This will lead to security taking on more of a governance and advisory role and providing direction rather
than implementation. And for all but the largest organizations, many specialized security roles will end up
being outsourced to specialists rather than being on the company payroll.
In this presentation I will discuss:
- The current information security professional “shortage.” Shortage in quotes, because in many cases
this is more of a misalignment between expectations from hiring organization and reality. - The role of specialization in all organizations/societies
- The current and ideal role for information security within an organization (Advise? Consult?
Recommend? Test? Implement? Develop? Build things? Run things? Measure things (Existence and
effectiveness)? - Where information security should sit (Business? Technical? Risk Management?)
- How legal, privacy, audit, and general IT have been moving into what has traditionally been the realm of the security team.
- The importance of understanding business and risk to provide context and prioritization for
information security. - How distributed security functions can lead to better outcomes.
- And more!