Mubix has posted his summary on things we wish our managers would learn, which I commented about the other day.
The #10 entry was about company buy-in and had only 1 vote, but I wonder if that single issue may drive a majority of the rest of the problems. It might not be that our managers don’t get these topics, but they may be in the same boat as we are in feeling unsatiated with current results.
If there is any bias, it might come from how we read the question and how far up the chain our manager is. If my manager were the CTO/CSO/CEO I think I would answer more along the lines of #10. Maybe a good question would be, “what one concept would you want your company leaders to understand?” That would probably limit those technical responses and probably broaden the basic concepts part?
Or maybe what would be your security-related mission statement (and maybe a few supporting statements in case you think of mission statements as “make the world a better place”) for your company?
That would be a great follow up question. Post it to twitter, I’m sure SecurityTwits and I will retweet it.