Information security still immature, RSA conference told

In five years’ time the security industry will have matured into a data-driven profession, RSA conference told

In five years’ time the security industry will have more “degrees of freedom” as it matures into a data-driven profession, says Hugh Thompson, programme committee chair of the RSA Conference.

Mature professions have already gone through the transition from superstition to data-driven decisions, he told attendees of the RSA Europe 2013 conference in Amsterdam.

“In statistics, ‘degrees of freedom’ are parameters in a system that are free to vary independently, which means they do not matter and can be disregarded,” said Thompson.

As a profession matures, its practitioners have a growing ability to identify what things matter so they do not waste time and energy on those that do not.

“The speed at which a member of a profession can identify what does not matter is a measure of that profession’s maturity,” he said.

Unlike mature professions such as medical or accounting, security professionals have not yet developed a standard set of tried-and-tested metrics that enable practitioners to make data-driven decisions.

“Even baseball team selections are no longer made on ‘gut feel’, but are based on proven statistical analysis of players’ performance,” said Thompson.

However, he believes information security has begun making the transition, with an increasing focus in the industry on developing the ability to make data-driven decisions.

More on security as a business enabler

This week saw the launch of an industry-wide project aimed at collecting as many useful, positive security metrics as possible to enable data-driven security by the Trustworthy Internet Movement (TIM).

Thompson said statistical analysis could transform information security in much the same way as it has transformed baseball, insurance and retail.

“Considering the velocity of change in IT, it is important for information security professionals to be able to figure out what does not matter very quickly,” said Thompson.

Like a spotter who is responsible for the safety of a gymnast on parallel bars, he said an information security professional needs to provide dynamic protection without interfering with the business.

“The spotter does not tell the gymnast what not to do, but spots potential danger and is there to protect when needed,” he said.

Security no longer has veto power, so it has to become aligned with where the business needs to go, help it to get there and protect it in the process, said Thompson.

“Five years from now, the discipline of security will be about business not technology, it will be about aligning with the business and being flexible by figuring out what does not matter,” he said.

Having the ability to identify and focus on the things that matter, said Thompson, will mean that security professionals will no longer be the ones saying “no”, but in the profession of business enablement.

Read more on Hackers and cybercrime prevention