After a hectic couple of months I've finally found a little time to put up a new post...
One of the tasks I've had to complete recently was that of acting as a judge in a competition to find innovative solutions to a certain security problem. This has caused me to consider the entire concept of innovation and it's relationship with security; primarily because a couple of the entries I had to judge presented me with something of a conundrum. The conundrum being: were these entries truly innovative or nothing more than snake oil? Was my lack of confidence in these proposals due to poor presentation, poor content or my own inability to understand something truly innovative? How do we distinguish between true innovation and snake oil? If something is truly innovative, what realistic metrics do we have at hand to justify any kind of value judgement? And, if something is truly innovative, that means that it's also going to be new and unproven and therefore scary to security types. Like me.
So, what do we do about innovation and security? We can't ignore it. We always have new problems, or battlegrounds (e.g. the cloud which tends to be a new battleground for old fights), that are crying out for new solutions. What I don't think we have are particularly pragmatic ways of adopting new solutions with any degree of confidence - existing assurance schemes (think Common Criteria) are just not appropriate for adaptable solutions to fast-moving problems. Anyone out there got anything useful around managing innovation in a security context?
About Me
- Lee
- I'm a cybersecurity chap, currently working as a Director for a global systems integrator. I've been working in [IT|Information|Cyber] Security since 1998 with major banks, systems integrators as well as two of the Big 4. This blog is for those thoughts and musings that reflect purely my own opinions and certainly not necessarily those of my employers!
3 comments:
Good question. Innovation in the security market place is long overdue. And how to manage it?....... End customers' must demand transparency in supplier offerings. How else can informed risk assessments be made?
Fully agree that transparency is a key factor. I still have the problem of assurance of the information provided - is the 'new' problem that has been identified actually new? Or a problem? Will the proposed technology actually counter the new problem? Will the new technology actually function as advertised(more traditional assurance)? It's the first few questions I'm having a bit of a problem with at the moment. All I can think of is that we, as professionals, need to keep ourselves up to date with what's happening so that we can judge each innovation on it's merits. Problem being that it's not really sustainable to keep up to date and be intimately familiar with everything in the security space - particularly if we also have day jobs actually delivering stuff! :-)
At the macro level I don't believe there are any new problems. The ultimate root problem will always be misplaced or misguided trust.
My simple approach in evaluating new technologies is to see if there's a clear, simple and specific goal that can be measured. And at the end of the day there's no better approach than to strip away the marketing speak, open up the hood and have a good look around. I have previously found Threat Modeling to be a useful tool to validate claims.
Post a Comment