I was contacted last week by a company that specialises in harnessing influence. They claimed to be working for a top IT security solutions vendor and had identified me as a key “influencer” in the UK. They wanted me to answer a set of questions but refused to say who the client was and offered no references or incentives. Not surprisingly I turned them down – another case of the Cobbler’s Children, where the influence peddlers are themselves lacking in influence.
But it set me thinking about who actually sets the agenda for security in Today’s world. It’s an interesting question, because the answers are not immediately obvious. Certainly the influence is not where you might expect it to be.
Analysts such as Gartner and Forrester have our ears, but they operate by repeating back what clients and customers tell them. They are primarily as a decision support tool, rather than a decision making one. The same goes for consultants, who are essentially overpriced sounding boards.
Academics could be highly influential but today’s crop is short on ideas and prefers to ape the not-so-best practices of industry. Some new university courses are now focusing more on universal business skills, such as how to present a business case, rather than real security competences, such as how to secure an infrastructure.
Regulators are in a perfect position to set the agenda but they cannot be seen to be tilting the playing field, so they usually end up falling back on bland principles and universally agreed standards. You get the occasional exception, such as PCI DSS, but it’s generally the result of a standard developed by experts rather than regulators.
Vendors should be setting the scene, but innovative technologists are very much in the minority, and most established firms are run by commercial managers seeking to squeeze every last penny from their cash cows. Meanwhile their PR companies dish out bland press releases which few people read as they are primarily designed to stroke the egos of their masters.
That leaves governments and journalists. The former are a mixed bag: of politicians who pursue fame and publicity supported by civil servants who prefer consensus. The latter are also divided: into loyal scribes who support their sponsors, and trouble makers who are looking for a good story.
So it’s no surprise to find politicians and bloggers featuring strongly in SYS-CON’s list of the “Most Powerful Voices in Security“. The top three are Darrell Issa, US Representative for California’s 49th congressional district, William Lynn III, Deputy Secretary of Defense, and Bruce Schneier. I made it to 51 on the list, though my friends tell me that’s because I have a loud voice that’s difficult to shut up.