Over the last week, I've attended a security awareness forum and spoken at a cloud computing conference. The major learning point highlighted by both events, was both predictable and significant: our current approach to security is failing to deliver and requires a major re-think.
I touched on this issue in my latest Infosecurity blog posting. The new world of cloud computing, for example, introduces a new set of problems that we have yet to experience. For many years, we've assumed that we can manage emerging problems through risk management or best practice controls. Both approaches fail because we simply don't know what's lurking in those clouds.
The obvious answer is to switch to a more pragmatic approach of addressing the underlying, root causes of incidents, rather than trying to predict the future. Human failings, for example, are the most important factor in the vast majority of incidents, and this people-oriented trend will grow with increasing user power and connectivity.
Is this too simple? It probably is. Otherwise we would have adopted it decades ago. Just think, for example, how much better the world might be if we'd fixed the password problem two decades ago. Simple is not easy but it often works best.
