You may have noticed a marked increase in the amount of posts I’ve done to
this blog lately. Or maybe you haven’t because I’m just one of many people
in your Twitter, RSS, LinkedIn, Medium, or however you read and/or ignore
Whether you read these ports or not, all these new posts aren’t necessarily
an accident. There is a underlying motivation driving me to put thoughts
around Information Security to digital bits once again.
What is it? A sense of purpose that, quite honestly, I haven’t felt in a
while. About the Information Security industry. About where I see things
happening and some things we need to do to affect positive change, creating
a more “secure by default” environment for everyone and everything.
Do I think it will happen overnight? No. Do I have all the answers about
how to get there? No. That said, 20 years in this industry has given me some
ideas about what works and what doesn’t.
What I do know is that the bottom-up approach that many are taking to
affect change isn’t working that well. By that, I mean that initiatives for
Information Security are usually not coming from the people in charge, but
rather the IT (Security) personnel who, innately, understand something
needs to be done, but they can’t explain it to the people who write the
checks in a way that will get the necessary funding required to affect
Sometimes, security initiatives are actually driven from above as well.
Frequently, it comes after a major incident that makes the news.
I bet Information Security suddenly became a lot more important at the
various retailers that had millions of PCI and/or PII data records
stolen. However, there’s no evidence those efforts have resulted
in improved security or that other, similar organizations have started
taking the necessary actions to improve their information security
practices before they are the next target.
There’s a lot of platitudes and sound bytes out there about how
organizations can be more secure. There’s a lot of noise from vendors in
the space about their solutions and how, if you buy and deploy their
stuff, they will keep you secure (and those other vendors who have
competing products won’t).
This problem, and the solutions, are far more nuanced than any sound byte
can capture or any single product suite can solve. It’s about bridging the
gap between the technical information security people who know what’s going
on and the people making the strategic decisions and writing the checks.
This is the kernel of the idea I have. The details of how to do this
need a bit more refinement. When I put these ideas out there, I expect
the Internet to tell me how wrong I am:
I’m not afraid of that. In fact, I welcome it. One lesson I learned from
maintaining the old FireWall-1 FAQ was that when I put wrong
information out there (not intentionally, of course), someone will tell
me and give me the right information. Then I can share that information
with others, as I’ve done for 20 years.
When the time comes, I would like to share these ideas with a much wider
audience than my old FireWall-1 FAQ was able to reach. If you
have any suggestions or feedback, I’d love to hear your thoughts.