The slow, painful death of real information security

I’ve blogged before about the perils of best practices and standards, and the crippling effect of compliance on security programmes. The consequences, however, are getting more serious as these ideas progressively embed themselves across a world that is sleepwalking down a one-way street into an inescapable pit of bureaucratic treacle.

Experienced security practitioners (me included) have to accept the blame for this dreadful state of affairs. We have encouraged the growth of best practices, standards and compliance, without fully appreciating their consequences.

Let’s face the reality. Best practices are no more a snapshot of current practice that cannot defend our interests against future threats. Standards create a backward-looking monoculture that discourages innovation and enables attackers to anticipate our defensive measures. And compliance cements these standards into permanent demands that cannot be ignored, regardless of their cost, relevance or importance.

The most dangerous trend of all is the rapid growth in quality management concepts that place excessive emphasis on paperwork (generally cloned), and pay no attention to real thinking and initiatives. The reality is that any required paperwork can be instantly downloaded from the Internet. This is not real security. And this is not where our priorities should lie.

Over the last year I have seen dozens of enterprises implement thousands of pages of documentation that nobody will ever read. This practice is especially time-wasting in countries with cultures that do not generally follow written instructions. It is a bad British export.  

Unfortunately, today’s security functions cannot make a business case to do anything different than to follow these outdated rituals. The result is that security functions are bogged down in trivia. Their time is wasted in closing down forgotten audit actions, rather than addressing more serious, emerging threats. And their success is measured by auditors with little experience of real world security.

We have reduced security to a tick-box quality management function. It is wrong, and it’s killing innovation and enterprise. Where is the escape hatch?