Shostack + Friends Blog Archive


ANNOUNCEMENT: The Society of Information Risk Analysts

I was talking with (the now nationally famous) Rich Mogull at Secure360 last week in St. Paul (fabulous security gathering, btw, I highly recommend it), and he reiterated his position that we had too much “echo chamber” and not enough engagement with everyone – especially our peers who are down in the trenches and too busy to have a voice.
I also had a chance to sit down with Jay Jacobs while I was there and he started talking to me about his perceived need for a bunch of “risk interested” security folks to get together and talk in an informal manner, a desire driven from his reading about how, during the enlightenment, great minds (esp. French mathematicians) would get together to talk.
Now I’ve been a big fan of informal but focused discussions as a means of furthering our ability as a profession to actually get things done.  Nothing worse than an ISSA/ISACA/Infraguard/Whatever meeting where everyone is sitting forward, not engaging with others, watching some bullet heavy powerpoint (usually supplied by a vendor).  So after talking with Jay and Chris Hayes, Chris Carlson and Marty Miracle – we came up with an idea.

The Society of Information Risk Analysts

The idea here is this:  Building a real information risk management program isn’t easy.  Anybody who says they’ve got it figured out is talking out of their elbow.  The Society of Information Risk Analysts should be a place (virtual, physical) where people who have to deal with IRM can get together and talk.  Sometimes this might be a webex from a real practicioner.  Sometimes this might be a local gathering at a coffee shop or bar.  Sometimes this might be a sponsored get together at a regional or national security conference.  But wherever we can congrate, we should — and discuss and help each other out.
I don’t want to add too much structure or vision beyond this.  I think that’s for the members to decide.  But if you had to ask, I would say the Society should be formally, informal.
So what I’ve done is set up an initial Google Group:
It’s currently “invite only” but that’s just to keep the spam out.   If you’re interested, please feel free to send us a request.  Similarly, there’s a twitter account (of course):
You can follow for announcements, and links, and so forth but also to discuss interest.  You can always also get in touch with me via Twitter, too:
From here, Once we have a dozen or so interested parties, I’d like to hold a Webex to see what sort of combined vision we can create.  I hope to let it be, as Adam would say, emergent.  Maybe, if enough are present (or even if it is just a couple) there can be initial face to face meetings attached to Metricon, Blackhat, and/or Defcon.

10 comments on "ANNOUNCEMENT: The Society of Information Risk Analysts"

  • _SunSh1ne says:

    This is great! Jay and I started a group in the Twin Cities last year, we’ll be sure to get the participants involved in the discussion.

  • Alex says:


    Well, and this is an outcome of Jay’s desire to do more and others desire to reach out and talk program development.

    It’s my desire to set about applying scientific methods as best as I can. We’ll see what happens, but no Stuck-Up-Sticky-Beaks here!

  • _SunSh1ne says:

    I am truely inspired by you both, and a Hear, hear! Well spoken, Bruce!

  • Patrick Florer says:


    I would like to participate.


  • Jack Jones says:

    Please count me in.


  • Russell says:

    It would be great if SoIRA could have membership that crossed business functions and crossed disciplines.

    Specifically, SoIRA should be a place that actively welcomes and recruits people from other related disciplines and functions — enterprise risk managers (aka GRC), auditors, business process management, economists, corporate finance and performance management, training, usability, etc. To do so, we’ll have to counter-act the social processes common in InfoSec groups — namely the tendency to exhalt technical and technician skills and values and repell nearly every other perspective or skill.


  • John Hoffoss says:

    Russ: Why would you not want to inadvertently recreate our comfy echo chamber? Those other people can’t possibly know what we’re up against. /sarcasm

    Alex: Invite please; I’m in.


  • Doug says:

    Alex – Please count me in as well — Doug

  • Jay Jacobs says:

    Just a quick update to this, the Society has moved off of Goggle Groups and is now located at

Comments are closed.