Sunday, March 7, 2010

During International Information Integrity Institute (I4’s) most recent meeting last year, Donn Parker gave his perspective on the organization’s history and why it was founded.

Donn B. Parker is a retired (1997) senior management consultant from SRI International in Menlo Park, California who has specialized in information security and computer crime. He has written numerous books, papers, articles, and reports in his specialty based on interviews of over 200 computer criminals and reviews of the security of many large corporations. The Information Security Magazine identified him as one of the five top Infosecurity Pioneers (1998).

Perhaps his lasting achievement was to form I-4. I-4 ( is an information sharing organization whose members comprise CISOs, CSOs and other senior security managers from corporate, government and academic organizations. I-4 has been around since 1986 to keep its members aware of the most advanced information security concepts and controls.

Donn saw the need for information sharing in the security field early on. Donn does not believe in risk assessment, but recommends doing due diligence by benchmarking, which can be facilitated by information sharing in groups like I-4. While I don’t see eye to eye with Donn on risk management, I do agree on the need for information sharing, for neither risk management nor any other information security program can be conducted in a vacuum.

Information sharing requires trust. There are many things that should not be revealed in surveys or public conferences, and yet information security practitioners desperately need to hear the real score from their peers.

Close knit law enforcement and military communities have had such trust. This trust often extended (and still extends) into industrial and other corporate physical security departments, often run by retirees from the law enforcement and military communities. But information security is still a relatively new field, at least when computers are involved, and close knit networks of interpersonal trust are few and far between.

It was for these reasons that Donn Parker and kindred spirits founded I-4. After a long incubation in SRI, they eventually documented 82 controls, which ultimately fed into the UK’s BS7799 which in turn evolved into ISO 17799 and ISO 27001. I-4 went into one of its heydays and eventually capped its membership at 75 so as to keep the sense of trust and confidentially. There was even a waiting list for new members at that point.

Through the dotcom bubble and the downturn and intervening recessions I-4 has survived. Don Parker and Bruce Baker retired, and eventually John Thurlow took over, and now Jim Wade is the Executive Director for the organization. Loyal administrative assistants and members have carried I-4 through a number of transitions of the supporting company that provides conference and logistics support (these companies have had colorful names such as Atomic Tangerine, RedSiren and lately GeTronics).

Fast forward to today – the good news is there’s no waiting list for I-4 currently. I recommend it – there are great people there, excellent conferences with everything under NDA and no vendor marketing, and a relatively small investment required for participation. Security professionals can pretty much get out of I-4 what they put into it, that’s the way information sharing works. They have a meeting on February 12-15 in Monterrey. Its not too late to plan to attend, if you are interested, you can contact their web site, or myself I suppose.

At the end of the Donn’s speech, Jim Wade brought up Donn’s wife – the “power behind the bald eagle.” What a moment! We could all wish for such a rich professional legacy…