We can no longer pretend that information security is working in its current form. So let's change it.
At the World Economic Forum on 24 January 2004, Bill Gates, chairman of Microsoft, famously predicted that spam would be a "thing of the past" within two years. Obviously, that prediction was incorrect.
In fact, the spam situation is worse today than ever before. But the amount of spam is just one indication that information security is broken.
Is that really true? Of course it is. Just look at the "results". By nearly every measure -number of vulnerabilities, exploits, attacks, amount of money lost, number of data breaches reported etc - the problem of information security is not getting any better - and more money than ever before is being spent on this losing effort. Tell me by what measure someone thinks that information security is actually working successfully?
This isn't news. In spite of the recent positive - and well-deserved - attention that Adam Shostack and Andrew Stewart's The New School of Information Security has received, the book's premise is really only news for those in the industry who have not been paying attention - or those who have not wanted to pay attention.
Shostack and Stewart said publicly what experienced infosec practitioners already knew: the emperor has no clothes.
The authors state that marketing by information security companies is partly to blame for this state of affairs. It's true that the industry has pushed fear, uncertainty, and doubt (FUD) for far too long. But it has done so because it can. And, because it has worked. At least it used to; I'm highly sceptical of FUD's value at present as all the signs indicate that buyers seem to have finally grown tired of it.
Now that The New School of Information Security has effectively completed step one of a 12-step programme for information security practitioners - admitting publicly that we have a problem - the real question is what's next on our path to "redemption" (think effective information security programs)?
What is our step two? We already know that it's not vendor marketing, but I don't see an obvious next step
To achieve "redemption" (effective information security programs), we need to rethink how we approach our admitted collective problem. Maybe, we should be focusing on the fact that we have a limited set of tools and capabilities to work with (no one has an unconstrained budget), and the answer is not necessarily in more new technology, but in how we more effectively use existing capabilities.
Additionally, more technology may even be part of the problem. We should be thinking instead about how we could rewire the circuitry - that is, change our processes to use less energy to save ourselves (and our jobs).
By doing less, but doing that more effectively, we could probably achieve Pareto efficiency (think 80/20 rule). That is, by focusing on the top 20 per cent of our vulnerabilities, we could probably eliminate 80 per cent of our risk. That was the original idea behind the Sans Institute's annual Sans Top 20 Risks.
Another way to think about this problem is analogous to the long-standing debate over signatures (definitive, but reactive) versus heuristics (not definitive, but proactive).
We should not be thinking about how we try to definitely eliminate all known threats, but how we mitigate probable risks, which may be unknown as well as known.
I would suggest that a good place to start this transformation is with our own business processes, particularly those outside the IT department.
While IT personnel generally have some degree of knowledge, and appreciation, of information security risks, that is not always the case in other business units, whose top-priority tasks usually have nothing (directly) to do with security.
At least we all seem to now agree that information security is broken. Let's do something to fix it.
- Tim Mather is chief security strategist for RSA Conferences.