Report after report shows that the problem of information security is getting worse at a faster rate than we are getting better. It is an uphill battle and as we climb, the hill is getting taller. The only hope is change. The question is, what change is necessary? That’s the challenge for you. What change is needed?
I recently read a report (yet another) that was compiled by information security experts and it highlighted how poor we are at managing this risk. We’re failing fast. But what i find interesting is the gap between what these reports tell us and what change is needed on the ground level.
Do we need a change in behavior by the HR hiring manager, the network engineer and the cloud-services consultant to improve our situation? What decisions should they make differently to make a positive difference?
My view is that change is needed in governance before anything else. We need to regulate our industry to prevent market driven decisions being made at the expense of information security. The network engineer is always going to make the best decision given their immediate situation. The hiring manager will always pick the best person for the job and the cloud-services consultant will always pick the best solution for their client.
One could argue that Information Technology (as an industry) is already regulated indirectly given that IT is a component of already-regulated industries such as Banking and Health.
Another argument focuses on poor system development. We are filling our lives with devices that are built to add functionality to our lives such as wearable devices, smart-phones, IP cameras and smart TVs. These devices are designed and developed with profits in mind. The balance between financial return and security is wrong. Continuing down this path leads to less security. The solution is to require better.
In the famous words of John Chambers (Cisco CEO) “There are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. I mention that quote here to emphasize the stage that this message is coming from. Experts, reports, high-profile exploits are shouting from the roof-tops that we have a worsening problem.
What do you think? What is the missing piece of this puzzle? We know that we’re doing information security wrong. So what change must happen?