A colleague of mine recently commented on the ‘herd behaviour’ that has become commonplace in the information security community. It’s a dangerous trend, which stifles innovation. And it’s often reinforced by well-meaning central authorities, who set out to coordinate industry responses to problems, stamping out overlap and duplication of effort, rather than embracing creativity and diversity
Information security today uses the same methods first pioneered more than 20 years ago, but in those days there was more variety in how controls were implemented. Companies would steal ideas from others but aim to improve and tailor them. This diversity caused so much overhead in partnerships that we were promoted to create the BS7799 standard as a common reference point. Unfortunately the pendulum has swung too far the other way, and we now have far too much similarity (and mediocrity) in how organisations address security.
Talking to Jason Larsen, one the world’s top SCADA security authorities last week, I asked him what he thought was the biggest barrier to effective security defences. “Best practices” was his immediate response. Everyone now uses the same anti-malware products and operating systems. An attacker only needs to test new attacks against a handful of popular security products. This monoculture is a growing source of systemic risk.
With these thoughts in mind it was a welcome, refreshing relief to attend last week’s Global Security Challenge Finals in London. The strap line “competitions are the new innovation drivers” indicates the logic behind the contest. Security depends on new ideas, and there were plenty on display. Finalists included a new form of biometric authentication (eye movement scanning), a new solution to combat counterfeit products, and new technologies for more effective CCTV scanning, luggage scanning, video indexing, malware prevention and data loss prevention. It was good to see security solutions exploiting virtualisation and cloud computing, reflecting the phenomenon that solutions can emerge from the very technologies that introduce security challenges.
We need more ideas, greater competition and better shop windows to attract venture capitalists to emerging products. The GCS is a great example of how to achieve this.