Innovation

After a hectic couple of months I've finally found a little time to put up a new post...

One of the tasks I've had to complete recently was that of acting as a judge in a competition to find innovative solutions to a certain security problem. This has caused me to consider the entire concept of innovation and it's relationship with security; primarily because a couple of the entries I had to judge presented me with something of a conundrum. The conundrum being: were these entries truly innovative or nothing more than snake oil? Was my lack of confidence in these proposals due to poor presentation, poor content or my own inability to understand something truly innovative? How do we distinguish between true innovation and snake oil? If something is truly innovative, what realistic metrics do we have at hand to justify any kind of value judgement? And, if something is truly innovative, that means that it's also going to be new and unproven and therefore scary to security types. Like me.

So, what do we do about innovation and security? We can't ignore it. We always have new problems, or battlegrounds (e.g. the cloud which tends to be a new battleground for old fights), that are crying out for new solutions. What I don't think we have are particularly pragmatic ways of adopting new solutions with any degree of confidence - existing assurance schemes (think Common Criteria) are just not appropriate for adaptable solutions to fast-moving problems. Anyone out there got anything useful around managing innovation in a security context?