RSA conferences are a great opportunity to network with friends, colleagues and interesting personalities. At last week's even in London, I especially enjoyed having dinner with Ira Winkler, a legendary figure in the information security community and an original thinker. Information security has a tendency to attract quiet thinkers, so it's refreshing to encounter outspoken observers.
That's one reason why Bruce Schneier is such an influential commentator. Ira Winkler falls into the same category. He's dares to speak his mind and promote new viewpoints. We need more of that. I especially like the way that Ira adapts learning points from Far Eastern martial arts. Information security is a new subject. We need to build on ideas developed in other fields. And there's lot's of interesting parallels out there to be discovered.
One area we argued about was whether fear or reward works best for influencing behaviour. Ira prefers the former, I subscribe to the latter. Ira is better qualified in psychology, but I've also done research in this area. Both work, but, in my view, fear and punishment breed negative, rationalised responses and don't get the best out of people. But Ira is right to say that it works well in practice, especially in the short term.
In fact, this is exactly the sort of debate that's long overdue in the information security field. We need to encourage security managers to think about these issues, and their consequences. There's too much argument about public policy issues that we can't influence, rather that local organisational issues that we can address now.
