Where have I been? Certainly not here! I’ve been on a little bit of travel to Asia and Australia and spending time with security professionals both inside and outside my company. I also tried the Tim Tam Slam for the first time, and videoed it. Enjoy.

In my travels over the last two weeks, I am learning that the security market here tends to be more focused on shiny tools than security process. Someone even made a statement about the maturity of the US around information security and how much more mature it is than what they are dealing with.

CEO Face, by rogerimp

I was a little shocked, actually. It’s pretty rare that you hear that kind of praise outside of the US.

When I asked more questions and pressed a little bit harder, the local contacts I have met with see things like PCI DSS and state legislation around PII and breach disclosure as big drivers to security maturity. They also seemed to focus around tools more than process which is a dangerous road on which to take a stroll. Tools are definitely required, but tools are worthless if they are not implemented properly and seamlessly into an organization. Shelfware or human-scaling tools do not contribute positively to the security bottom line.

The perception of security departments inside the US is that they are more evolved due to compliance and regulatory initiatives that forced companies to implement tools first, then start to evolve how they addressed security as a function. For example, the CISO title does not seem to exist much down in the Australia/New Zealand geography, much like it didn’t here in the US in the early 2000s. The business of information security has been born here, but is still materializing in other geos.

It’s starting to happen, and the need is there, but the way to accelerate these discussions is to talk about the value and business of information security with executives instead of instilling fear, uncertainty, and doubt.

This post originally appeared on BrandenWilliams.com.