incomplete thoughts: really changing the game?

This is an incomplete post that I never published and don’t see myself truly completing. And rather than keep it in my list of nagging unpublished things, I thought I’d release it to the wild that is the blogs.

First, go read Rocky’s piece over at fudsec on changing the game. Then read Mortman’s response over at Securosis. Those two links started whatever thoughts I had below…I think some are points the authors were making, and others are my own responses…but I don’t recall. Any current thoughts I’ll bold.

This quick, dirty synopsis is for my own benefit to better dissect the point of the article, and also demonstrate what I took away, in chunks.

1. The Information Domain is manmade, and it is a domain where we can change the landscape, not be bound to changing for it.

2. We’re short-sighted, rather than long-sighted. We tackle immediate hurdles rather than perform city-planning.

3. Need to change from short-term fixes to long-term strategy.

4. 3 ways: leadership, research, information sharing.

5.Leadership: No one is jumping to save us. We need to lead the way.

6. “[Businesses] need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk [to the business, not necessarily to an asset].”

7. Too much of what we measure is point-in-time.

8. As infosec pros we have let compliance initiatives drive spending and have ridden along for the ride.

9. We lack the knowledge of the business and how to apply what we do in a meaningful way to the business. I still find this an arguable point. In some cases, the business needs to understand IT (and security) more to better understand business continuity… Nonetheless, this is usually the weakest point in topics like this, not because it is not true, but because it is arguable and situational. Can we always convince business to treat security more aligned with the business or part of the core business line? No. How often are we satisfied that security is good and top notch? Not often, if ever.

10. Vendors fall into the hole of non-innovative solutions that are just meeting our needs, without pushing forward. Vendors ned to be thought-leaders. In turn, vendors need to listen to their customers and deduce their actual needs. Consultants need to listen better. Vendors are in the same boat as internal security experts: trying to sell the idea. It would be far easier to be thought-leaders if security weren’t already perceived as dragging ont he heels of innovation and itself being drug into the boardrooms by breaches/regulations. Huge point about consultants!!! Need to listen better and the industry needs to ditch or teach the charlatans.

11. Get past the “way its been done.”

12. Research. We need to support research. Research should be revolutionary, not evolutionary.

13. Information Sharing. Collaborate with industry competitors.

At this point my notes ended.