Standing at the Crossroads

At the close of the first decade of the 21st Century I find myself writing my 500th blog posting for Computer Weekly. It’s an appropriate occasion to look back at the last ten years and look ahead to what might unfold over the next decade. Here’s my take.

The early years of the century saw events and changes that transformed the face of security. The dot-com boom encouraged security vendors to promise more than they could deliver, before they disappeared as quickly as they emerged. Enron propelled regulatory compliance to the top of the board agenda. 9/11 created a new management appreciation of business continuity. Basel II created an unprecedented appetite for risk management. These developments shaped the nature of corporate security for the first half of the decade, encouraging the growth of established processes and controls, rather than smart use of new technologies. The end result was a steady growth in security spending, but a lack of real innovation.

The second half of the decade has been dominated by high-profile data breaches, coinciding with the progressive criminalisation of cyber threats, and the unexpected shock of a credit crunch. These trends put confidentiality firmly on the map, but placed economic constraints on security solutions. In the government field the emergence of cyber warfare threats highlighted the need to safeguard critical national infrastructure, resulting in a longer term interest to develop a common solution space to safeguard national and industry interests. The result has been an unprecedented political interest in security, with an appetite for short term fixes, coupled with an increase in government funding for longer term research initiatives.

The next ten years will present a range of even more challenging problems, different from anything we’ve previously encountered. We face the threat of sophisticated threats from criminals and hostile intelligence agencies. We need to convince a new generation of socially networked employees to apply badly-crafted corporate policies. We must persuade cloud service providers, who aim to reduce costs, to spend more money on security. We need to build new security skills that incorporate sophisticated techniques from psychology and marketing. We also need to secure whole communities of business partners who might operate very different policies and practices. And, at the same time, we have to respond to an unprecedented wave of regulatory compliance that might eventually send our directors to jail for an oversight in personal data protection.

To meet these challenges we need to do two big things: firstly to build for the long term; and secondly to innovate. Yet we appear to have lost out ability to do either, at a time when we badly need it. Security managers have been far too busy paying attention to short-term compliance needs rather than creative solutions. Vendors have been focused for far too long on re-launching old products with new features and fresh marketing. And academia has also been far too preoccupied with developing silos of esoteric interest, where success is measured more by media fashion and attention that business success. At the same time, our professional development schemes have been focused on teaching old techniques rather than new skills. The barriers to entry for fresh ideas have never been greater. And we haven’t even solved the problems presented in the last ten years. We need immediate action to redress the balance.