Lately I've been spending more time lecturing to universities (Oxford and Surrey this week, Portsmouth the week after next). At each session I set out to present what's wrong with Information Security management today: just about everything, including the priorities, standards, methodologies, technologies and skills.
At the end of each talk I ask: "Do you
agree?" The response is generally a refreshing "Yes".
Of course it might be my compelling
rhetoric rather than the content that sways the audience. It's certainly
hard to drum up any passion for today's slow, dry, quality-focused approach. But
I suspect that I'm actually striking a chord that's long overdue to be heard.
If there's any hope for a change of
direction, it lies with Academia. User organisations are too bogged down in the
treacle of compliance to inspire any change. Vendors are only interested in
what the users say they want. And institutions tend to be more concerned with preserving the status quo, rather than challenging the accepted wisdom.
Thirty years ago, if you'd told me
that Academia was our salvation, I would have laughed, watching researchers struggle
to find practical use for Bell and LaPadula models. Fifteen years ago, you
would have got the same reaction as I observed universities putting together
MSc courses inspired more by the Common Criteria than industry practices. Today it's different.
It's time for students and researchers to go back to first principles and design
an entirely new approach to information security management, one that's more in
keeping with a fast-moving, sophisticated risk environment.
Subscribe to blog feed
Leave a comment