An Open Letter To The Information Security Industry: We Live In Amazing Times

Sometimes a positive attitude goes a long way

I apologize that this post is not about open source, however I think it was important enough to post up here.

I just returned home from the UNITED Security Summit in San Francisco. Besides speaking myself at the show I had a chance to sit in on some great presentations by some familiar and some not so familiar (to me anyway) folks. While overall the tracks were great, one theme that was pretty constant was the pessimism in general about the security industry. The feeling was we are losing the battle, nothing is changing and without “radical change” we are doomed to repeat the same mistakes and failures.

This doom and gloom is contagious and becomes a self-fulfilling prophesy. I think while the challenges are certainly great, we should not forget where we came from. I am reminded of a bit by the comedian Louis CK.

We are like the guy who complains about the WiFi not working on a plane. Think about it. You are sitting on a huge hunk of metal, flying through the air at over 500 miles an hour at almost 40,000 feet altitude. The plane is directing an antenna at a satellite in space sending and receiving data at speeds that were unimaginable just 20 or 25 years ago even if you were wired to a computer. Every once in a while it doesn’t work and you complain. Hey guys we live in amazing times!

The same is true of IT in general. The speed of technical evolution (not revolution mind you) is staggering. Yes, the security industry has not been able to overtake the pace and is struggling to keep up, but we are running as fast as we can.

Let us not forget that just 15 or 20 years ago there really wasn’t an information security industry to speak of. We have built and developed an awful lot in that time frame. I am not saying we need to rest on our laurels, but that half-empty glass is half-full too. 

The fact is as we brought up at the show, many of the breaches we see are using the same old attack vectors. Bad passwords, default passwords, clicking on links we shouldn't still account for many breaches. We can combat this.

Another thing I hear at these shows is that the security industry is maturing and we crave better metrics to make better decisions and better strategies. I agree with that, but for such a “mature” industry we are terribly self-centered. While security is the most important thing to us, in spite of the self-deluding analysis we receive, it truly is not the most important thing to business. The most important thing to business is profits, followed closely by revenue. Dotted lines and potential liabilities are all fine and dandy. But at best organizations put a small (3% to 4%) of their budget into security. If something only is taking 3 to 4 percent of your budget, it probably only gets 3 to 4 percent of your time and attention.

This is the sad truth that a “mature” industry like ours has to realize. Until the problems and threats are felt by the business owners to warrant more than 3 to 4 percent investment, we are not going to see a radical change.

So lets be more positive about what we can do. Lets take our small wins and build on them instead of ridiculing them. We have come a long way and yes we have a long way to go. The rest of IT and the world will not wait for us, they will continue evolving at the breakneck pace they have been.

But setting attainable goals, taking our wins when we can and trying to keep people positive about the mission is I think a better strategy then preaching doom and gloom that the sky is falling, even if maybe some days it seems like it is.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT