ISACA Journal
Volume 2, 2,014 


Guest Editorial: Looking Back—Information Security Matters 

Steven J. Ross, CISA, CISSP, MBCP 

This column recently reached its 15th anniversary. That means I have written more than 90 articles for the ISACA Journal, which I must admit catches me by surprise when I add them all up. Over the years, I have solicited feedback from the Journal’s readers and I have been very gratified by the dialogs that have been established. There were only a few rotten tomatoes thrown my way and many more responses that I found challenging and thought provoking. And a few that just said they liked what I had written.

Ideas for Topics

I have often been asked, “Where do you come up with ideas for all the articles?” It really has been easy. Most of the time, I just talk about my job and the projects I am working on at the time. I have been fortunate to have had some interesting work to do, which resulted in pieces that talked about matters such as establishing security functions, managing user identities, recovering from disasters and building secure data centers.

When my own work did not provide topics, I could always count on the newspaper for ideas. There is always something newsworthy about information security, risk management and disaster recovery. In the past few years, I have been writing a lot about cyberthreats, ranging from industrial espionage to all-out warfare. I consider this the most important question of our time…or at least the one we as security professionals can address. We cannot solve income inequality or world hunger, but we can do something about protecting information from criminals, terrorists and hostile governments.

Where I could, I have drawn on my own experiences. While I have never been the victim of a cybercrime, unless a few viruses along the way can be included, I have used my experience in writing about some disasters I have lived through and helped my clients navigate. In particular, there were two articles in the early 2000s on the destruction of the World Trade Center, across the street from where my office was at the time.

Finally, I have enjoyed sharing my viewpoints on information security trends. My first column looked at public key infrastructure (PKI) with a more skeptical eye than was fashionable at the time. As I understand it, that one had some impact among the readership. I wrote about such matters as the vanishing security perimeter, the security of instant messaging and the cloud before they were common topics elsewhere. (Or maybe they were written about and I just missed the publications.)

Conversations with the World

I have viewed each article as a conversation with security professionals around the world. I have always tried to make the articles I write entertaining, as well as (so I hope) relevant to fellow professionals. I suppose my favorite bit of fun in this regard was a column that began with “I am sitting in a bar in Berlin...”

I suspect I am the only security commentator to have included references to Mel Gibson, Sandra Bullock and Paris Hilton in my articles. It was not all Hollywood, of course. I have had occasion, in discussing information security, to quote Plato, Aristotle, Shakespeare, Keynes and Robert Burns. It is important to me never to talk down to those who read my pieces; I assume a certain level of culture, learning and intelligence on your part and have never been shown to be misguided in that regard.

Relevance Over Time

It amazes me, looking back, how relevant some of the articles remain after a decade or more. Digital signatures, security architecture, privacy, incident management and computer viruses were subjects of articles in 1999. I am not sure I would say the same things today and I know I would not say them the same way, but those are all still very timely topics.

The perennial nature of these subjects should not surprise me, though. When reduced to its elements, information security is really very simple: Keep information safely in the hands of those who should have it and out of the hands of everyone else. However, achieving that goal is a great deal more complex. Information security is somewhat kaleidoscopic in that just when you think you can see the picture, it changes. The bad guys get smarter, the technology evolves, the business becomes more encompassing and the components of information security interact in ways that were never previously anticipated.

Information security professionals are faced with decisions that go well beyond the technology of protection: How does one create a culture of security? Does security of information fit within the laws in the places where the information is stored and used? What is the relationship between information security and risk management? Is information security the same thing in different countries and cultures around the world? I have enjoyed the opportunity to probe questions like these in the pages of the Journal.

Some of you may know that I was president of ISACA in its early years. I have little interest in attending board meetings or involving myself in the administration of what is now a vibrant, global organization with more than 100,000 members. I have great loyalty to ISACA and I prefer to make my contribution to its welfare by writing my column. It has been my privilege to have the pages of the ISACA Journal in which to share my viewpoints and ideas. I make no pretense that I have provided any direct guidance as to how security professionals and IT auditors should do their jobs. I hope that I have provoked some thoughts, opened a few eyes and maybe even started a few arguments. It has been fun for me and while I do not promise to be writing Information Security Matters 15 years hence, I will continue writing as long as people still want to read what I have to say.

Steven J. Ross, CISA, CISSP, MBCP, is executive principal of Risk Masters Inc. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.