Preaching in a security wilderness

Last week I was fortunate to be speaking at Cyprus Infosec 2011. It was a first class event with intelligent speakers, great debates and a smart audience. But yet again I seem to be the only speaker calling for a forward looking approach to security.

Too many of our thought leaders are locked in the past, preaching outdated standards and old-fashioned management systems. These tools might be necessary for compliance but they will not meet emerging security challenges.

The business landscape is changing from one that is relatively static, standardised and synchronised to one that is dynamic, devolved and diversified. Fast-changing threats can’t be countered by static policies and paperwork. Internal governance systems can’t control external supply chains.

The future demands new approaches to responding to external events. And this in turn requires new skills, better intelligence, and smarter technology. Security managers should leave the paperwork on the shelf for the auditors and start implementing countermeasures that are capable of preventing advanced persistent threats.

We closed the conference with a futurist who pleaded for simplicity and regarded users as stupid. He was wrong on both points. Networks encourage diversity and complexity. We can’t and shouldn’t hold them back. The answer is to increase the intelligence in our security controls. Stafford Beer pointed this out more than 40 years ago. And it’s not users that are stupid but the people who design their systems. Safety experts learned that many decades ago.