Security: Best practice or ancient ritual?

There is lack of invention in information security but exciting developments are waiting in the wings, says David Lacey, the author of some of the world's most widely used security standards.


Let’s face it, there’s a dreadful lack of creativity and innovation in information security today. Risk management and governance methods have changed little, if at all, in three decades.

Today’s ISO standards are based on a body of text created over twenty years ago. In fact, aside from a sprinkling of security technologies, which you can count on one hand, nothing really new has emerged in the lifetime of today’s security managers.

We have a dangerous herd mentality setting in, to the point that best practices can now be considered dangerous. Whether it’s methodologies, control descriptions or technologies, we are locked into a dangerous monoculture which is leading to a growing systemic risk.   

And I’m not blaming others. I drafted most of the original text that evolved into ISO 27002 and achieved the world’s first accredited certification. But I’d love to now see it consigned to the scrap heap. Common sense and creativity have vanished from security. Twenty years ago, the security community was full of competing ideas and practices. Now every presentation looks is the same.

A dangerous distraction

Security managers are chained to a backward-looking compliance treadmill that gives priority to old legacy practices, paperwork that no one reads, and outstanding audit actions from previous years. This distraction prevents security managers looking ahead and addressing emerging issues.

A few days ago I sat through a presentation from a legal firm who have rolled a most impressive suite of new security technology. The speaker admitted that “we’d be more likely to win business with an ISO certificate”. Unfortunately, there are few prizes for smart security thinking.     

A legacy full of holes

A more worrying problem is the impact of technology monoculture, resulting from herd adoption of market leading products. A few weeks ago I asked Jason Larsen, a top SCADA security tester, what he felt was the biggest vulnerability in enterprise infrastructures. “Best practices” he replied, “Everyone uses the same firewalls, AV and operating systems. You only have to test a new attack against a small number of products to see if it works”.

The traditional Swiss Cheese model of defence in depth is falling down. It’s not just methods, standards and technologies that have failed to keep up with a changing threat landscape. We also lack the communications and psychology skills needed to influence security attitudes and behaviour across an extended community of networked staff, customers and suppliers. Not to mention the skill of reverse engineering that’s now needed to test application systems to the same standards used by attackers. Our professional development schemes have more holes than a slice of Emmental.   

Bright spots on the horizon

There are, however, a few rays of hope in the security solution space, though they’ve to register on the security community’s radar. The Global Security Challenge encourages and rewards innovative security technologies. Competitions like this are vital to keep promising technology start-ups alive at a time when venture capital is thin on the ground. There are also numerous opportunities from the emergence of virtualisation and trusted computing technologies.

Virtualisation transforms the infrastructure from both a user’s and an attacker’s perspective. Replacing a fixed network of physical platforms with an abstract virtual environment changes the battle space, as well as the solution and problem space. Surprisingly, very few security managers seem to have noticed this trend.

Trusted computing also offers huge potential for eliminating a large slice of the risk landscape, through reliable, automatic device authentication and data encryption. Trusted platform modules are installed in virtually all PCs and laptops. Hundreds of millions have been shipped. This technology offers solutions that are cheap, transparent, secure and easy to install and manage.     But they’re yet to be used, largely because they simply don’t feature in the security manager’s tool kit.  

Security managers would do well to consider how phone companies, satellite TV services and popular music sites secure global networks from large scale fraud. It’s usually based on a simple, cheap, automatic mechanism, rather than through the clunky, identity management systems that are more familiar to security managers. Neat proprietary solutions are powerful, though open ones are even better.   

Find your next job with computerworld UK jobs