I'm starting to think that we as a people have devolved to the point of losing most of our basic survival skills. If you spend any time driving the crowded roads of a major metropolitan area, or passing through airports and their associated screening processes, or even just pay attention to the news and some of the incredibly idiotic things that people are doing these days (Baptist "missionaries" trying to steal kids from Haiti, Pennsylvania schools surreptitiously spying on students via issued laptops, or even the current state of mindless politicians being directed by their corporate masters), then you probably understand what I'm talking about here.
This thread absolutely applies to infosec and the business community. It seems decreasingly likely that businesses are doing what is absolutely necessary to protect themselves and, more importantly, to ensure that the business continues. And I'm not talking about business continuity here in the BCP/DR sense (though that's certainly a part of the big picture). I'm thinking, quite simply, about fundamental attitudes and behaviors that reflect a general lack of awareness about viable threats to the business and continued success.
What we really need is a wake-up call of some sort here. A call for sanity and forethought to return to business. A call to move away from short-sightedness and a shift back toward long-term thinking that builds companies that provide value, benefit, and profit for much longer than 3 months at a time. Similarly, enterprises need to adapt a mentality that puts a premium on the survivability of the business, such as by acting in a self-preserving manner to defend itself against reasonable threats and establish reserves that help facilitate
From an infosec perspective, this should translate into a few common-sense practices...
Stop talking about traditional "risk management" as some sort of magical rubric or panacea.
Start talking about threat modeling and legal defensibility.Stop using ad hoc approaches to security architecture and solutions.
Start adopting a holistic, systemic ISMS-like approach.Stop delegating ownership of security to IT or other non-business leadership.
Start requiring execs and the board to directly own and be responsible for security.Stop relying on shortcuts to survive audits.
Start demonstrating actual due diligence by adopting a reasonable standard of care.Stop looking for ROI to "justify" security.
Start thinking of security as a business enabler that facilitates better decisions and helps protect the business during both the good and the bad times.
2010 looks to be a good year for a return to rational thought. It's time to re-awaken a sense of self-preservation in ourselves and our businesses. To survive is success in and of itself, and to accomplish that goal means building an environment that is resilient to changes, threats, and whatever else may try to shake it to the core.
So, finally:
This famous ranumism seems to apply well here (http://www.ranum.com/security/computer_security/editorials/point-counterpoint/homeusers.htm)
"Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is, today."
So, you say "Similarly, enterprises need to adapt a mentality that puts a premium on the survivability of the business, such as by acting in a self-preserving manner to defend itself against reasonable threats and establish reserves that help facilitate" but most business actually do survive - and thus continue to ignore security...
@Anton -
Ah, I see. And, yes, I think this would normally be true, though these days I really question whether this is actually true. I don't think businesses are truly acting in a self-preserving manner. Their focus is so incredibly short-sighted that there is no way they can be thinking about long-term value and survivability. It's an inherent contradiction, or paradox, that doesn't say good things about the future of corporations.
Thanks for the comment (on the blog, at that)! :)
-ben