While watching Haroon Meer's TROOPERS keynote, I was struck by the major, structural shortcomings in the InfoSec industry; and how little impact it really had on the world. I was left asking myself, even with the sorry state of security, and today's endless parade of bugs and breaches, who is feeling the pain? Haroon highlights that companies that have been breached bounce back quickly, and are for the most part showing promising returns and stock value growth. Consumers have been impacted in great number lately by breaches of retail companies, and their pain has been minimal, other than signing up for free credit monitoring and having to enter new credit cards into Amazon. CISOs may be fired as a token action to show the company is moving forward, however they can now add "Incident Response" to their resumes and find a new job.
Due to the high-tech, and niche area that the InfoSec community inhabits, it is an insular community that I believe tends to overestimate its importance. When the pharmaceutical industry makes a mistake, people die; when banks made bad bets on sub-prime mortgages that led to the financial crisis, people were out of jobs and their homes; when a company gets its PCI breached, people have to update their Amazon settings. We as an industry should be glad that our shortcomings have not led to significant pain and suffering, and see how our field can support the impressive benefits that technology can bring to society, not persist in insular echo-chambers.
My TROOPERS talk was conveniently later in the day after Haroon's keynote, so I could bring some of these issues to bear, and foot-stomp on how I think InfoSec needs to realize its place in supporting business and innovation, not as an end-all. My recent work has been to work with InfoSec decision makers and help them evaluate their security strategy through the lens of fitting into the greater goals of the business. Until this perception is wide-spread, security will only be seen as a roadblock or cost of doing business, not as a value-add.
Cyber-security Philosopher and Boffin