Standing at the Crossroads

At the close of the first decade of the 21st Century I find myself writing my 500th blog posting for Computer Weekly. It’s an appropriate occasion to look back at the last ten years and look ahead to what might unfold over the next decade. Here’s my take.

The early years of the century saw events and changes that transformed the face of security. The dot-com boom encouraged security vendors to promise more than they could deliver, before they disappeared as quickly as they emerged. Enron propelled regulatory compliance to the top of the board agenda. 9/11 created a new management appreciation of business continuity. Basel II created an unprecedented appetite for risk management. These developments shaped the nature of corporate security for the first half of the decade, encouraging the growth of established processes and controls, rather than smart use of new technologies. The end result was a steady growth in security spending, but a lack of real innovation.

The second half of the decade has been dominated by high-profile data breaches, coinciding with the progressive criminalisation of cyber threats, and the unexpected shock of a credit crunch. These trends put confidentiality firmly on the map, but placed economic constraints on security solutions. In the government field the emergence of cyber warfare threats highlighted the need to safeguard critical national infrastructure, resulting in a longer term interest to develop a common solution space to safeguard national and industry interests. The result has been an unprecedented political interest in security, with an appetite for short term fixes, coupled with an increase in government funding for longer term research initiatives.

The next ten years will present a range of even more challenging problems, different from anything we’ve previously encountered. We face the threat of sophisticated threats from criminals and hostile intelligence agencies. We need to convince a new generation of socially networked employees to apply badly-crafted corporate policies. We must persuade cloud service providers, who aim to reduce costs, to spend more money on security. We need to build new security skills that incorporate sophisticated techniques from psychology and marketing. We also need to secure whole communities of business partners who might operate very different policies and practices. And, at the same time, we have to respond to an unprecedented wave of regulatory compliance that might eventually send our directors to jail for an oversight in personal data protection.

To meet these challenges we need to do two big things: firstly to build for the long term; and secondly to innovate. Yet we appear to have lost out ability to do either, at a time when we badly need it. Security managers have been far too busy paying attention to short-term compliance needs rather than creative solutions. Vendors have been focused for far too long on re-launching old products with new features and fresh marketing. And academia has also been far too preoccupied with developing silos of esoteric interest, where success is measured more by media fashion and attention that business success. At the same time, our professional development schemes have been focused on teaching old techniques rather than new skills. The barriers to entry for fresh ideas have never been greater. And we haven’t even solved the problems presented in the last ten years. We need immediate action to redress the balance.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Ok David, now give us the BAD news.
I think there is much in what you say are the problems to be addressed. On 'compliance', I feel many organisations, and therefore managers, focus on a form of compliance in which the creation and maintenance of a risk register and ISMS allow them to 'tick a box'. In so far as employee engagement goes there is still an emphasis on the 'user as the enemy' not only in the 'malicious' sense, but in the 'too dumb' sense. This leads managers to develop technology-based solutions that discharge the user from responsibility by imagining they can be prevented from doing damaging things. (This model suits vendors too, who are always happy to peddle silver bullets - whilst explaing in the small print they are not making any such claims). You are right to focus on the importance of understanding user psychology, both individual and collective. As John Adam's points out in his model of the human 'Risk Thermostat', if you try to reinforce security by technology alone, the users will compensate for what they perceive as enhanced protection by relaxing their own propensity to take risk. If we want to tackle what remains the main source of breaches - malicious, but mainly non-malicious, behaviour by employees - then understanding how to design jobs, teams and working environments that support active engagement in, and collective responsibility for, information security will be key. * Declaration of interest: I'm a member of the 'Information Security Management' Course Team (M886) at the Open University. Does that mean I'm in one of the silos you mentioned ;-) Anthony Meehan