With the end of July close by and the beginning of August looming at the end of my calendar, the Black Hat and the Defcon conferences are rapidly approaching. For me, it is the time of year where I get to hang my suit and put on simple clothes to go hang out with many of my friends in the security arena. As an added bonus, I get to attend some world-class caliber talks about new types of attacks, new tools and generally a new refresh about what we are up against. Anyone who is serious about making a career in information security
should attend both conferences at least once.

The stuff I do for a living is guiding my organization to be successful at keeping its valuable information assets secure. To do that, my days mostly revolve around a combination of meetings in which we talk about developing and implementing security strategy, setting and implementing policy, working on things like vulnerability scanning, patch management, network situational awareness and managing security incidents. There is a lot more, but that's not all that relevant right now ;)

Whenever the big summer conferences approach, the technical side of my starts to speak up more. Suddenly, I want to be more involved with activities such as penetration testing, forensics, real-time log analysis, etc. I typically start annoying the people who are responsible for daily operations when that happens, but as it is the law of the land, I generally win those fights and I get to scratch my itch.

This year is no different, but as things go, I just cannot find the time to get my hands dirty. The closest I was able to do was throw out a few Tweets in which I stated that solving non-tech challenges is rewarding, but in the end it comes down to hard core tech. No CISO should ever forget that. I also said that a well-designed and well-built network in a poorly run organization still has a chance of being secure. The other was around not so much. In a private tweet, I also said that developing and implementing policy is critical too, but that having a great policy without the technology to back it up is a guaranteed fail, which having a good technological infrastructure to work on, technology without policy will work for a while.

Now, to pull out a cliche, as a CISO, it is my job to balance technology, processes and people to navigate my organization to a point where its residual information security risk is of an acceptable level. It is important to realize that all three P's are necessary to be truly successful, but if I had to pick, I would much rather work in an organization that has great technology and knows how to use it, but may be weak on the policy/people end, than work in an organization that is driven by handbooks, policy and procedures, but is weak in technology and people.