1. Web/Media 2.0 influence on security
1.1. simplified design
1.2. intuitive presentation to user
1.3. any user has control over presentation
1.3.1. can user data be trusted?
1.3.2. Can it be moderated?
1.4. specific elements
1.4.1. tagging
1.4.1.1. Searching
1.4.1.2. Sharing/Linking
1.4.2. blogging
1.4.3. audio/podcasting
1.4.4. Video
1.4.5. Wiki
1.5. central management
1.6. Transparency
1.6.1. single sign on identity across different site
1.7. rich content
2. Security integration with Web/Media 2.0 to protection information
2.1. need for frameworks to guide & evaluate security
2.1.1. academic/theoretical models
2.1.1.1. qualitative methods
2.1.1.2. quantitative methods
2.1.2. pragmatic methods
2.1.2.1. COBIT
2.1.2.2. ITIL
2.1.2.3. ISM3
2.2. share "good practices" for information protection
2.2.1. standards
2.2.1.1. ISO 27000-series
2.2.1.2. NISP SP's
2.2.1.3. RFCs
2.2.2. professional practice guides
2.2.2.1. GAISP (? defunct ?)
2.2.3. government directives
2.2.3.1. NIST 800.x series
2.2.3.2. DoD 8500.x series
2.2.3.3. DCID 6/3
2.3. security/protection of information as a differentiator
2.3.1. business benefits of strong security
2.3.1.1. doing business safely
2.3.1.2. understanding the risks
2.3.1.3. preparing for contingencies
2.3.1.4. building confidence & trust
2.3.1.5. enabling business process
2.3.1.6. supporting business prioritization
2.3.2. Security IS the business
2.4. security considered in design (not bolted-on)
2.4.1. formal (security) methods
2.4.2. security training & awareness for design & development professionals
2.4.3. security architecture
2.4.3.1. not 'security through obscurity'
2.4.4. competent security testing
3. Skills, tools and experiences needed by professionals
3.1. communication
3.1.1. speaking
3.1.1.1. telling security stories
3.1.1.2. Presentation Skills
3.1.2. writing
3.1.2.1. persuasive/motivational writing
3.1.2.2. copy writing
3.1.3. multimedia
3.1.3.1. combining written & spoken advice
3.1.3.2. videos plus briefings
3.1.3.3. website plus plus
3.1.4. bidirectional
3.1.4.1. gathering feedback
3.1.4.2. responding positively
3.1.4.3. engaging hearts & minds
3.1.5. collaborative clusters
3.1.5.1. academic
3.1.5.2. industry
3.1.5.3. professional bodies
3.1.5.4. standards development
3.2. stewardship
3.2.1. custodianship
3.2.2. governance
3.3. selling
3.3.1. influencing the purchaser
3.3.2. closing the deal
3.4. marketing
3.4.1. internal
3.4.1.1. the value of security
3.4.2. external
3.4.2.1. security as differentiator
3.5. networking
3.5.1. establishing & building relationships
3.5.2. bringing people together on common interests
3.5.3. special interest groups
3.5.4. collaborating
3.6. problem solving/thinking
3.6.1. non-linear thinking
3.6.1.1. mind mapping?
3.6.1.2. hyperlinking
3.6.2. critical
3.6.3. structured/scientific analysis
3.6.4. 'open source'
3.7. cyncism, caution
3.7.1. seeing downside risks as well as upside opportunities
3.8. Training
4. Other elements to consider or work on
4.1. water cooler learning
4.2. integrated security practices
4.2.1. people
4.2.2. process
4.2.3. technology
4.3. history
4.3.1. remember where we have been
4.3.2. reuse / not reinventing the wheel
4.4. risk management
4.4.1. current risks
4.4.1.1. threats
4.4.1.2. vulnerabilities
4.4.1.3. impacts
4.4.2. risk management methodologies
4.4.2.1. quantitative
4.4.2.2. qualitative
4.4.3. projected/future risks
4.4.3.1. trends
4.4.3.2. emerging issues
4.4.3.2.1. political
4.4.3.2.2. economic
4.4.3.2.3. social
4.4.3.2.4. technological
4.4.3.3. new technologies
4.5. security memes
4.6. information security elements
4.6.1. confidentiality
4.6.2. integrity
4.6.3. availability
4.7. how to measure it?
4.8. government regulation/oversight
4.8.1. Gramm-Leach-Bliley Act
4.8.2. Sarbanes-Oxley Act
4.8.3. HIPAA
4.8.4. Privacy Act
4.8.5. Foreign Corrupt Practices Act
4.8.6. FISMA
4.8.7. CLERP9
4.8.8. Directive 95/46/EC
4.8.9. Bill 198 (CSOX)
4.8.10. PIPEDA
4.8.11. DPA (Europe)