A frequent complaint that I used to hear from fellow CISOs was that there were not any good associations or events that they could participate in, where they could network and share ideas. The events and associations that were available either attracted too many tactical-level security professionals who wanted to talk about firewalls and pen testing, or they were thick with predatory vendors. We just wanted a place where we could discuss our issues away from vendors and practitioners.
The solution? We formed our own group: The Pacific CISO Forum (occasionally referred to as the Pacific Northwest CISO Forum). We organized in early 2003, and today we have over 60 participants.
Here are many of the secrets of our success:
- Do not formally organize. We are not an association; we are not incorporated; we have no officers, dues, or members. The primary reason for this is to enable public-sector participants to speak freely about their issues without being subject to FOIA. Were we an official organization, then public-sector participants could be compelled to document discussions that could be disclosed later on. So, we do not have “members”, but instead we have “participants”. We are just a bunch of people who know each other and hang out and talk about matters of mutual interest and importance.
- Do not use NDAs. When we first got together, we developed an NDA, but this was quickly met with resistance from many of our participants’ Legal departments who refused to permit us to sign them. Instead, we…
- Adopt Chatham House Rules. In other words, what is said here, stays here. The formal definition of Chatham House Rules is: “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.“
- No vendors or consultants. Vendors and consultants are not among our ranks. Criteria for participants is that they have strategic-level responsibility for data security in their organization.
- Build a bond of trust. In our early days, as we struggled with the NDA issue, we got to know each other and a bond of trust began to form. Soon, we realized that the NDA was a form of artificial trust that was soon unnecessary.
- Meet as often as needed. In our first year, we met every month, but attendance suffered. At the end of our first year, we wondered if we would survive. A small number of us had some “come to Jesus” discussions where we re-examined our principles and re-invented the Pacific CISO Forum. We changed to quarterly meetings, scheduled far enough in advance that we could get it on our calendars.
- Grow through invitation only. The quality of our group is a result of quality networking. We invite people we know who have strategic-level security responsibilities in their respective organizations. When we have a new prospective participant, the sponsor sends an e-mail to the rest of the group, describing this person: who they are, where they work, what they do there, and wait for other participants to respond. Only 2-3 times in the past five years have we declined a participant’s joining us: they were either vendors, consultants, or were tactical and not strategic.
- Determine and meet the needs of participants. In every meeting, we open the floor to everyone, so that we can talk about our respective security issues and discuss them openly. We always ask, what topics would you like to hear in future meetings? This helps us to figure out our agenda from one meeting to the next.
- Use inside and outside speakers. Many in our group are experts in several subject areas, and half or more of our speakers and presenters are our own participants. This provides opportunities for participants to share their successes, failures, and challenges. It also gives us opportunities to hone our public speaking and presentation skills. Similar to the rules for participation, we do not invite vendors to speak at our events.
- Start a private website or listserv. We are fiercely private and do not disclose any information about our members. Primarily we do not want vendors to have access to our names or e-mail addresses.
- Leverage other events. Frequently, we will schedule our meetings to coincide with regional ISSA meetings and other events. This helps keep participation up by recognizing that we can’t attend all of the events that we want to – that we must instead pick and choose which events we will attend throughout the year.
Since we formed five years ago, we have become a respectable group of professionals. We help each other, we encourage each other, and we share information among participants that would otherwise not reach many of our participants. Some of the information that you’d see on our mailing list includes:
- Positions wanted
- Position openings (we do not permit recruiters to post on our list, but we will sometimes post for a recruiter who is looking for a strategic-level security person)
- Training events
- Trade association meetings (e.g. ISSA, InfraGard, CTIN)
- Cyber security incidents
- Help with local and national cybercrime cases
If you are considering starting a group like the Pacific CISO Forum and have questions, please write to me by filling in a comment in the form below. Your question or comment will remain confidential and will not be posted on this site (unless you want it to).
Pacific CISO Forum in the news:
would be interested in how I can set up a forum for the Cyber Community working various cyber issues within the Federal Gov’t.
It’s easy enough to set up a private Yahoo or Google group that only members can view. But I suspect that Govt security requirements may prohibit the use of a public website for that purpose. If that were the case I’d suggest that a similar capability be implemented on an internal govt system that has similar structure.
A favorite product is Alfresco Community – and it’s free / open source. Takes time to set up, however, but it’s highly flexible and has discussion management for a purpose such as yours. http://www.alfresco.com
Oh, and I presume that I should not make your comment on my site visible to the public. I will keep it hidden or just remove it.
Hope this helps,