As a regular conference speaker I’m always intrigued by which topics are in fashion and why. A few years ago it was outsourcing and cloud computing. More recently it’s been the human factor. Lately it’s been the future of security that attracts the most interest. I’ve given three talks on this subject over the last few weeks. And I’m not the only one speaking on that topic, though I have to admit that I do seem to be rather better informed.
Why should the future of security be fashionable? After all it’s been coming for a long time. The answer is because existing approaches are failing. No matter how hard we work the results are inadequate. Process improvement and maturity frameworks are not the answer. They remind me of Samuel Beckett’s words: “Go on failing. Go on. Only next time, try to fail better.”
So we need new solutions. Unfortunately, however, there is little concrete on offer. I’ve seen quite a few good analyses of the problem space by analysts, vendors and even partners of Big 4 companies. But I have yet to see anyone articulating a decent vision for the future.
My own views are more radical. I take the view that we must adapt our approach from the current one which is rooted in outdated, industrial age ‘process’ thinking, towards one based on a real-time, improvisational response, more in keeping with the characteristics of the information age. Our approach to security needs to change considerably: to be more immediate, personal and outwards, and focused on intellectual assets such as reputation, relationships and responsiveness.
Priorities, skills and technology all need to change. Many professionals have only just discovered that process can be as powerful as technology. But manual or scripted solutions are not effective in a dynamic, connected environment. The future of security demands smart use of technology and thoughtful relationship management. Process is an industrial age concept and will eventually be consigned to the scrap heap.
In fact security has always been primarily about gaining maximum visibility and persuading thousands of people to do things they don’t even want to consider. In the past we got away with it by simply showing evidence that we’d tried our best. But in the future we will need to achieve real results. To be honest nothing much has really changed. It’s simply that our previous inadequate efforts have been found out.