I spend a lot of time working with big and small enterprises, helping with information security or risk management issues. What continues to amaze me is how much they differ in their security governance style and control requirements, but how similar they are in security initiatives and solutions.
I find it remarkable to find small companies
aspiring to implement management systems, scorecards and maturity frameworks,
as I do to find very large organisations wanting to standardise on a common set
of enterprise policies, standards and governance processes. Security standards
have become decoupled from requirements. It is a dangerous drift towards a monoculture
of identical but unsuitable security countermeasures.
Where is the appetite for innovation and diversity?
The answer is that it's been killed off by a professional development mindset that
is reluctant to challenge the accepted wisdom of an established compliance
regime. Real security is career-limiting. Best practices are far safer.
This situation cannot continue. We need to encourage
and empower our security managers to think, judge and develop solutions that
are more in tune with real business. But a single business will find it hard to
break the mould. And government, regulators, trainers and standards bodies are
even more constrained. The future has to lie with academia and journalists, who
are free to research, criticise and encourage new ideas.
If you're a university or research establishment,
then I would encourage you take on this challenge. It's an important one,
because in my opinion every single aspect of information security management
(bar none) is inappropriate, and in need of substantial improvement. We must
throw away the past and invent new solutions from first principles.
The starting point is to nail down those
principles. What are they? There is a gap here. Watch this space for more on
this topic.
Subscribe to blog feed
Leave a comment