Infosec professionals, and infosec organizations, have not correctly aligned their work to business goals. There is no credibility as a result. Any idiot can proclaim their just as effective as we are because we simply aren’t very effective right now.

Viruses run rampant, we scream “We blocked X virii today”. Data leaks out, we scream “We’re doing egress filtering today”. E-Discovery runs rampant, we scream “We imaged X disks today”.

Quite frankly, no one gives a rip and the problems aren’t being solved. Internal marketing efforts, as well as scope of work, MUST be focused on solving business problems - not technology problems.

No perceived value = Any Joe Schmoe can do the job

We can’t invent new ways of being valuable. We must plug into existing value propositions at the companies we work for - just like everyone else. What makes us think we can reinvent what business value means? Turning the table on the “we can do it better” beef, we aren’t risk managers and we aren’t technologists. The vast majority of infosec practitioners don’t have the chops to be cutting edge researchers. We must be business partners.