I love Fall. It's my favorite time of year. The weather has that wonderful chilly bite to it, the humidity generally drops away, and then there's the folliage! This Fall, here in Northern Virginia, has been the best of the best. We've never seen colors like these in the last 5 years, and friends who've lived here much longer say they don't ever recall a Fall like this, either. So, suffice to say, I'm rather pleased with the outside world.
Fall, however, is about more than just pretty colors. It's also about the cycle of life. In the grand scheme of things we typically associate Fall with the dying throes of life, Winter with the period after death, Spring with the emergence of new life, and Summer with the peak of living. Putting aside the somewhat morbid aspects of this life cycle, I have to wonder how many organizations apply similar thinking to themselves? How many decisions have - or should have - a life cycle? I would think pretty much everything should be evaluated accordingly, but it doesn't always seem to be the case.
Take, for example, the traditional security perimeter. This concept is, for the most part, patently ridiculous today. 15 years ago it made sense, because 15 years ago you were only allowing in a limited number of connections, and those connections were quite often from reasonable trusted sources. Today, in contrast, we left in myriad sources offer ports 80 (HTTP) and 443 (HTTPS) without really having much capability or willingness to filter this traffic. After all, if you start blocking large chunks of the Internet from reaching your web site and associated applications, then you're probably hurting your business.
As such, these major concepts need to be evaluated according to a life cycle. Their peak is past and they're now beginning to show their true colors. Death is nearing, Winter looms, and we only have an inkling of the new lives that will emerge in the Spring. Perhaps this new life will be along the lines of th Open Group's Jericho Forum, or maybe it will be some entirely new technology with which we're not presently familiar. DLP helps us try to catch outbound leaks, and application firewalls offer some protection from web-based attacks, just as secure coding principles help make the applications themselves more resilient to attack. In the end, however, none of these solutions seem particularly compelling.
Raising this question of life cycles and how they apply to higher concepts within security, within IT, and within business itself are extremely valuable. In my opinion, these questions are not raised often enough, resulting in organizations sticking with decisions that were perhaps adequate 5-10 years ago, but certainly don't make much sense in the modern context. Even decisions made less than 5 years ago may not make sense today given the changed economic and business climate.
As such, I urge you to consider decisions that you've made and are making within a life cycle context. This is not to say that we should not be making strategic decisions with a long-term perspective, but it is to suggest that today's decision based on the best available information may be completely obsoleted by tomorrow's news. In order to continue growing and maturing, we need to be re-evaluating what we do and how we do it. Think of it as the modern day equivalent of continuous quality improvement, but sped up and bulked up.
And, lastly, if you think that all your decisions throughout time have been perfect and should be maintained, then I would encourage you to get out to a few conferences in the coming year. Much has changed in the last few years, and the industry is poised for even greater changes in the next few years. Chances are very good that some decision you've made in the past will experience its Fall very soon.
