Today I attended an all-day Jericho Forum Members’ meeting hosted by Eli Lilly at their Bagshot campus. It was a good session. We had some excellent and lively debates, with interesting contributions ranging from abstract academic posturing to eminently practical suggestions. As usual we agreed on many points and disagreed on others. This is the thing I like most about Jericho discussions. Everybody listens hard but they also give as good as they get. I’m a great believer that strong argument is the best vehicle for developing quality policies and standards. We could do with a lot more of it. There’s far too much consensus thinking in the security and risk communities.
You are probably asking yourself what is this Jericho Forum? What is it achieving? These are good questions that we constantly ask ourselves to make sure that Jericho continues to add real business value. The starting point in understanding what it’s all about is to dismiss the popular assumption that when the Jericho Forum talks about de-perimeterisation it is advocating the removal of firewalls from company networks. Far from it. We like to see defence-in-depth security measures. The real goal is to solve the business problems created by the fact that our perimeter security has already been shot to pieces.
The fundamental objectives of the Jericho Forum have been to highlight this problem, identify and articulate the business requirements, and then engage with vendors to develop the standards and products we need to build practical and long-term security solutions. This is no mean task and I believe that Jericho has been spectacularly successful in publicising and poularising the issue, uniting many influential CISOs behind a common goal and developing a body of knowledge to support the development of new standards and products.
Key deliverables this year have been the publication of the Jericho Forum Commandments and the drafting of more than twenty position papers examining specific aspects of the problem and solution space. But the real challenge for the future is to hand over the lead to the vendor community as we move the focus from business requirements to technology solutions. This will be a particularly difficult phase because user organisations love to collaborate and exchange their security practices but vendors have to compete and safeguard their intellectual property. That’s why I believe that the next year will be the making or breaking of the Jericho Forum as a long term vehicle for thought leadership. Let’s hope – for all our sakes – that we can achieve the same success going forward.