Is this as good as it gets?

Every single day we hear new reports about large organizations being thoroughly penetrated by sophisticated attacks. Just when we thought it could not get any worse, it does. This is not just bad luck, and these attacks are not simply isolated incidents. It is, in fact, a phenomenon to be expected; the result of years of neglect in addressing the root causes of security breaches.

Put bluntly, our current approach to information security is not fit for purpose. It hasn’t been for years, though we continue to congratulate our efforts with bullish presentations and glittering award ceremonies. But the fact is that a growing wave of regularly compliance has well and truly drowned what little inspiration might have existed to create new solutions. The result is that organized crime and intelligence agencies are free to steal whatever they want from our databases.  

Let’s face it our so-called best practices are no more than bureaucratic collections of ancient (often flawed) rituals. They might satisfy our auditors and regulators, but they don’t address the growing gaps in our defences. This is to be expected to some extent, as standards and compliance processes are intrinsically backward-looking. It takes many years to identify, document, agree, implement and certify a set of controls.

Security today demands forward-looking horizon scanning and real-time assurance mechanisms. And it needs to be executed across an increasingly externalised infrastructure. The users have left the building, the apps are following. Securing the in-house LANs and servers is not the answer. And we are a long way from agreeing the new problem space.

Designing strategies, writing policies and conducting audits will not fix these problems. We have to break free from the treacle of compliance and build brand new solutions. The key question is who will lead this revolution? So far no one appears to have come forward. Not industry, not the governments, not the institutes and not the universities. Even the vendors are short on solutions. (Many have only just discovered ISO 27001.)

The security community has a long journey ahead. It would be useful to have a direction, a leader and a budget to solve it.