Thursday, April 12, 2012

A Security Policy Presentation In Progress

I recently presented a set of ideas about making and socializing a security policy called "Getting Your Security Policy the Love and Affection it Deserves".  It didn't quite get the cheering, clapping, adoring reception I was hoping for, perhaps because it's too boring.  And, to be fair to the audience, it was sandwiched between two much more interesting and polished presentations.

So I'm curious - what does it need?  Pictures?  Concrete examples?  Fewer words?  More words?


  1. In my opinion, it might be helpful to identify the problem before you present solutions. You could explain experiences you've had trying to communicate your security policies to management or employees and how they helped you come up with the strategies you lay out to facilitate the process. Tech nerds love to laugh at people who don't know as much as they do (everyone does, actually), so I bet you could work in some humor there.

    Maybe you did this but I didn't see it in the slides.

    Also, did you practice giving the presentation out loud? You can punch up boring bits when you recognize them during practice sessions.

    You deserve cheering, clapping, and adoration! I bet you'll get it next time you present.

  2. Building on -P's comments, there's no sense of the alternatives or pitfalls. What can go wrong? What causes sec policies to be unloved/rejected/not work? What happens when one veers off the golden 9-step path?

    Is there evidence that this is better? (Better than what?)