AISA - Challenges, Change and the Future - Interview with AISA Chair, Stephan Overbeek

Posted on July 11th, 2008 by Drazen Drazic

I’ve posted before about the Australian Information Security Association. AISA is volunteer run organisation of Information Security professionals with branches in almost every capital city in Australia and in excess of 800 members. The number of members in recent times has grown significantly and AISA as an “organisation” as opposed to an “Interest Group”, which it started as, is growing also. In this chat with Stephan Overbeek (the current Australian Chair) of AISA, we talk about the organisation, focus on valid questions and concerns raised by many in the industry here (including myself) about AISA and look at what AISA’s plans for the future are. (Note: I am an AISA member and a volunteer on the Executive committee as I have mentioned in the past).

BorB: As the Chair of the Australian Information Security Association, could you tell us a little bit about the organization.

SO: Sure. AISA is the Australian Information Security Association. We are an organisation for Information Security professionals. We promote our field and the role of the Information Security professional. We currently have over 800 members across the country with branches in 6 major cities: Adelaide, Brisbane, Canberra, Melbourne, Perth and Sydney. Our organisation is made up of individual members - no corporate members as such.

BorB: While membership numbers are now over 800 (as at the time of this interview), and growing, there’s still many in the Infosec industry who haven’t heard of AISA or believe AISA doesn’t add value to them. Eg; the technical and researcher communities.

SO: We’ve been around since 1999 so our growth has been pretty good. But you’re right, there are many in our industry that haven’t been exposed to AISA or still believe that the organisation is not relevant to them. We’re trying to change that. We believe as we go forward that all Information Security professionals should benefit from AISA and visa versa. Our meetings now are a mixture of security management and technology focused topics. However, we do realise that technically focussed security people may not immediately be attracted to our organisation as we currently do not do much in terms of research presentations, demonstrations, hands-on experience and such. We are though currently launching initiatives to reach out to the more technical and research community.

We have a strong focus on networking and that can benefit everyone!

BorB: There are some who question AISA’s relevance and question the move to become an industry association as opposed to just an interest group. What is your response to that?

SO: AISA has outgrown the status of just an interest group. We represent a good number of Information Security specialists, and in Australia, we are the only end-user focused Information Security professional organisation with individual membership. Of course we have a focus and we may not, and we cannot always be relevant to everyone at all times but with the various types of people and their experiences, we call all learn and benefit from each other. The organisation is shaped by the people in it and as we grow, the organisation will change and grow.

BorB: This is your second year in the Chair, tell us a little about the challenges you have faced and AISA’s plans for the future:

SO: AISA is an organisation of many well-willing and hardworking individuals. My main challenge is to get volunteers to be active for AISA while they have their day jobs. In the current market, many professionals need to focus on their day job full time and this leaves little time for AISA. This counts for almost everyone, including myself. Let me take this opportunity to reinforce the value that our volunteers bring to AISA and to show my gratitude for the work they do for AISA. We try to bite off as much as we can chew. We have many more initiatives but do not have the bandwidth to bring them to fruition as quickly as we’d sometimes like. We always need more people, so if you read this and if you are an AISA member, please approach me or your local branch executive to indicate you have time available to be active for AISA.

BorB: Now that AISA is an industry association, why isn’t AISA doing more as a representative voice for the industry in Australia? Eg; being a point of contact for government in relation to Information Security challenges being faced by the country – both business and consumer levels? (eg; AISA wasn’t directly asked to comment on the recent RFC for Data Breach Disclosure Laws)

SO: AISA is reasonably well known amongst its constituency but is not so well known to the rest of the world. Media and government do not think of AISA yet when they have an information security issue. We’re trying to change that and we will.

BorB: Are there any plans to create more partnerships with similar international associations?

SO: Yes, there are. We have recently revisited and strengthened our relationship with (ISC)2, the organisation that administers the CISSP certification. We are also thinking of building ties with other international organisations, but at this stage I can not disclose this to you as discussions and planning are in the very early stages. Locally, we have quite good relationships with ISACA, RMIA and various other organisations as you know. Our members benefit from this.

BorB: What are your thoughts on the Information Security industry in Australia? Do you believe we are on pace in terms of awareness and progress being made elsewhere in the world?

SO: In my view, there is no such thing as an “Information Security industry in Australia”. There is an Information Security industry which is a global industry. We happen to be in Australia, but the focus of the industry and of the clients, vendors, suppliers, experts, and everyone in this industry is and needs to be a global focus. However, of course you can compare the Australian part with the rest of the world. In Australia, we have some strong national standards for Information Security such as PSM and ACSI33. But again, they mean nothing on a global scale. For most organisations international standards such as ISO 27001 are much more relevant. I think Information Security awareness is relatively low everywhere in this world, including Australia. It must be my own professional frustration, but after decades of educating the vendors, I still see products and applications hit the market with little or no security. Security is still an afterthought. Also the customers still do not seem to expect and demand products to satisfy a serious level of security. My expectation is that if we want to change this situation, the customers need to get together, form a consortium and demand vendors and application providers to deliver secure products (and it is up to that consortium to define what ‘secure’ means).

BorB: What are the largest challenges you see for the Information Security professional in this country and the country in general in regards to Information Security?

SO: Keeping up with the huge amount of information and news in this industry. There is a plethora of news bulletins, blogs, newspapers, feeds etc etc and it is a challenge for professionals to separate the relevant news from the nice-to-know and the irrelevant. Identifying the priorities and not losing focus to the latest hot topics.

BorB: So what do you believe is the value AISA will lend to these challenges and people in our industry?

SO: AISA brings a wealth of benefits to people in our industry. The biggest value to any one person is the people within the organisation itself - networking opportunities; contacts, information sharing, working together. I could go on and on.

But, in addition, the things you can actually see; AISA meetings, discounts to conferences and training, free offers for various software products, job mailing list and forums, monthly newsletter, etc etc.

BorB: Personally, what’s on the horizon for Stephan Overbeek? Do you plan another year in the chair?

SO: No. I will be stepping down in September. But I will stay involved with AISA in the foreseeable future as advisor and in starting initiatives for AISA, including the ones you have addressed in this interview.

BorB: Thank you for your time Stephan

For more information or to join ASIA, please go to:
http://www.aisa.org.au/

Stephan Overbeek is National Chair of AISA (the Australian Information Security Association). His day job is Managing Security Consultant for VeriSign’s consulting business in Australia.