There are many statements infosec professionals assume to be true – you need a CISO, the APT’s are out to get us and an IPS is a good idea. There are also a few that we wonder about like how do we get developers to listen or what’s the best way to get users thinking about security? Wouldn’t it be great if we could get real answers to a few of those big questions or supporting evidence for those things we assume to be true? The sort of answers we could put in front of the boss with a smile and say “it’s a fact”.
I’m going to be posting a series of articles on the big infosec questions. While I think I know the some of the big questions,  I’d like your input on it. Suggest a question in the comments below or tweet me @ironfog. I’m looking for questions that we can answer through public data sets (either already in existence or ones we can develop).
How should we get more attention of customers who still think that the internet is safe and that something like a softwarefirewall will do the job?
Should the contents (ssn, cc#, PII) of the database be encrypted? Should only specific data be encrypted?
How do we get people to stop assuming that just because a system is not facing the internet, they don’t need to encrypt logins etc. The insider is a real threat and people better start recognizing that.