Welcome to my Computer Weekly security blog! This is the first post of many and it’s polite to begin with an answer to the who, what, and why questions.
I’m Stuart King and I work for the Reed Elsevier Group in a role that encompasses the online product and risk side of information security. Summing up my role in a few words is no easy feat. In fact, just coming up with a job title that correctly identifies my role to the rest of the world has been the subject of many hours of heated discussion. The problem is that if you tell someone you work in information security they are likely to make an assumption that you are either a) a hacker or b) the techie who configures the firewall. I’m neither of those although I do have a good knowledge of the tricks of the trade of both. My focus is very much on looking at the risks associated with putting increasingly complex products onto the Internet, then deciding how best to address those risks within an organisation that produces literally hundreds of web products as the output of development groups across five continents.
My role is no easy task, and much of this blog over the next few months will be discussing the associated challenges and problems. A common theme is likely to emerge: most principally the fact that I am not always right! That’s not to say that I don’t know what I’m talking about – although I may propose some opinions that you feel are, frankly, wrong – it’s just that even when I’m convinced that I am right to the extent that I’d gladly get it printed on a flag and hoisted over corporate HQ someone will inevitably pop up and tell me how unlikely, impossible, or outrageous my solution is when it’s considered in the context of certain groups of the business.
In other words, the most important thing that matters whenever proposing solutions around security is how it relates to the goals and objectives of the business or part of the business that it is intended for. One of the hardest lessons to learn is that the best way of mitigating risk is rarely one that is acceptable to implement. I’ll be talking about this more over the coming months.
I’m delighted to have been offered this opportunity by Computer Weekly. My brief was short: keep it interesting! Interest will be measured in feedback. I’ll respond to as much of your feedback as I possibly can: positive or negative or provoking further debate on a particular topic. Information Security has, in my opinion, reached a turning point. It is now truly becoming a profession staffed by specialists as opposed to a subset of the IT department. As such, any insight into the real world challenges being faced by practitioners are of interest and it is in this context that I look forward to corresponding here.