I’m regularly accused of being a prophet of doom because I forecast back in 1999 that the average risk profile would climb to a dangerous level by around 2006. That was my suggested starting date for the long-awaited e-Pearl Harbor. It hasn’t happened yet, though we’re certainly overdue for a major incident. But despite that I remain relatively optimistic about the long-term future, as long as we implement the right strategy and solutions. That will come with time. Major Incidents have a habit of containing excesses if risks get seriously out of hand.
My original predictions were based on road mapping exercises carried out by leading subject matter experts that considered all dimensions (social, business, government, legal, technological, etc.) as well as the impact of future trends in research and solutions. Unfortunately we’re surrounded by less sophisticated analyses, based on single-isssue arguments. Such forecasts should be consigned to the security dustbin.
The latest example is Roger Grime’s InfoWorld article on Computer security’s dubious future, which assumes that security is doomed because things life is getting more complex. Don’t believe it. He hasn’t taken the trouble to properly assess the problem space or the potential for solutions.
There is no reason why problems caused by complexity can’t be tackled by the right technological approach (students of Stafford Beer would understand this) or by initiatives to reduce diversity (there are many techniques for achieving this). You can find plenty examples in life of control systems that can handle complex threats. The human immune system for example is just one example.
Richness of choice in products or services is to be welcomed. Security needs to respond to this of course. But there is no reason why we can’t develop an effective antidote.