I spend a lot of time working with big and small enterprises, helping with information security or risk management issues. What continues to amaze me is how much they differ in their security governance style and control requirements, but how similar they are in security initiatives and solutions.
I find it remarkable to find small companies aspiring to implement management systems, scorecards and maturity frameworks, as I do to find very large organisations wanting to standardise on a common set of enterprise policies, standards and governance processes. Security standards have become decoupled from requirements. It is a dangerous drift towards a monoculture of identical but unsuitable security countermeasures.
Where is the appetite for innovation and diversity? The answer is that it's been killed off by a professional development mindset that is reluctant to challenge the accepted wisdom of an established compliance regime. Real security is career-limiting. Best practices are far safer.
This situation cannot continue. We need to encourage and empower our security managers to think, judge and develop solutions that are more in tune with real business. But a single business will find it hard to break the mould. And government, regulators, trainers and standards bodies are even more constrained. The future has to lie with academia and journalists, who are free to research, criticise and encourage new ideas.
If you're a university or research establishment, then I would encourage you take on this challenge. It's an important one, because in my opinion every single aspect of information security management (bar none) is inappropriate, and in need of substantial improvement. We must throw away the past and invent new solutions from first principles.
The starting point is to nail down those principles. What are they? There is a gap here. Watch this space for more on this topic.