Lately I've been spending more time lecturing to universities (Oxford and Surrey this week, Portsmouth the week after next). At each session I set out to present what's wrong with Information Security management today: just about everything, including the priorities, standards, methodologies, technologies and skills.
At the end of each talk I ask: "Do you agree?" The response is generally a refreshing "Yes".
Of course it might be my compelling rhetoric rather than the content that sways the audience. It's certainly hard to drum up any passion for today's slow, dry, quality-focused approach. But I suspect that I'm actually striking a chord that's long overdue to be heard.
If there's any hope for a change of direction, it lies with Academia. User organisations are too bogged down in the treacle of compliance to inspire any change. Vendors are only interested in what the users say they want. And institutions tend to be more concerned with preserving the status quo, rather than challenging the accepted wisdom.
Thirty years ago, if you'd told me that Academia was our salvation, I would have laughed, watching researchers struggle to find practical use for Bell and LaPadula models. Fifteen years ago, you would have got the same reaction as I observed universities putting together MSc courses inspired more by the Common Criteria than industry practices. Today it's different. It's time for students and researchers to go back to first principles and design an entirely new approach to information security management, one that's more in keeping with a fast-moving, sophisticated risk environment.