Whither thought leadership in public policy?

Just at the time when the security world desperately needs innovation, imagination and a brave new direction, it appears that the public policy cupboard is well and truly bare.

Every week that goes by demonstrates that our cyber security defences are ineffective. No institution seems to be capable of resisting advanced, persistent threats. This comes as no surprise, considering that we have been rolling out insecure systems and infrastructure for decades. The worrying thing is that we are not doing much to change this, and that the systems that control industrial processes are often the worst of the lot.

If there is any hope for information security, it lies with a more enlightened and much tougher public policy. User organisations have proved incapable of introducing any radical changes, and vendors prefer to supply what their customers ask for, rather than develop new solutions.

Unfortunately, many of our public policy researchers appear to have gone native, preferring to applaud, rather than challenge, existing practices. The latest example of this is the recent report from Chatham House on Cyber Security and the UK’s Critical National Infrastructure, which concludes that the answer is better citizen awareness, information sharing and corporate governance led by non-technical, business-savvy folk. Just how citizens or risk management processes can transform a broken infrastructure beats me. And therein lies the problem. Security management today is much more about the art of fudge, backside covering and company politics rather than real risk reduction. Nobody wants to practice real security. It’s far too difficult, expensive and unpopular. It’s much easier to design a new governance process or simply blame the customers.