I was trying to think that I know something about security. The more I read and browse and surf, I learn and realize that I know too little and then less. I am observing in this forum that there are a good number of great posts. I wonder if we should start a process to identify steps needed to be taken to be informed and keep the expertise at a least to a certain level as we determine be the best practice. Time to time I will summarize points if we have this topic populated.

Let me know what you think.

The podcast idea mentioned in the previous post is a good one.  I use my commuting time to learn all kinds of skills - business "soft" skills, certifications (Prep Logic audio series or my own creations), and IT podcasts.

Another way understand best practices is to join a group such as a local 2600 club, ISACA meetings, and other professional and ametuer gatherings.  I also like reading magazines such as SC Magazine, Information Security, and other "trade rags" to keep me in the loop on developing trends.  Perhaps the best way to understand information security "best practices" is to work in the industry.  I learn the most about best practices by working with people who have more experience and are smarter than me.  That way the pressure to learn more is constant - and I've been in IT for over 15 years.  Although I am a senior level person working in a large Fortune 500 bank in the information security department, I learn something new about IS "best practices" every day.