Tuesday, December 21, 2010

Top-Five 2011 Security Wish List

Having been active in the security world since the 80's -- first as a user in the middle-east, then building products, services, R&D, and several roles in critical infrastructure protection-- I've lived through questionable security implementations and decisions that cost both lives and dollars, but I'm excited about the security opportunities that await us in 2011.

2010 brought us leaky cables, crazy countermeasures, fiery sheep, government-sponsored targeted attacks, organized criminals that compromised hundreds of millions of identities, and zombie armies that effect business bottom lines and Government's policy. All of this came at a great cost to commerce, citizens and civilization alike, so it is incumbent upon the professional security world to utilize the one additional thing these villains brought us-- the greatest cyber security awareness in history.

Think big, think bodacious, think important, and think possible. Move beyond password length discussions, blabbing on Facebook, and x-raying your belly bulges, and focus on what's really important in the new year. To start, I offer five from my 2011 security wish list, and encourage you to suggest your own.

My Top-Five 2011 Security Wish List


1. Public Private Partnerships that really work, which means that 'public' needs to share more, and 'private' needs to focus on the greater good, and not just selling more of their stuff. This is vital to protect critical infrastructure and key resources (CI/KR), and it is vital to protect our juiciest targets from foreign governments, organized criminals, terror groups and wannabes, and home grown bad guys.
2. A Mobile Security ecosystem that unites the vendors, rather than divides. We all now carry and cherish our mobile phones the same as we do with our credit cards (always with us, never shared, losses reported immediately), so it's time to make them work as identity tokens across the board.

3. U.S. Congressional support for comprehensive cybersecurity, rather than trying to address it bill by bill, earmark by earmark, and press release by press release. We have a cyber-czar that wants to put good security over politics, and many good folks that are returning to govern after success in the security private sector, and a strong push from Congress would serve to unite security across the board.

4. Educational shift toward real cyber security education and training. Humans are still our weakest link, and cyber-education is still the most cost-effective countermeasure. Plus, our shortage of skilled cyber security professionals is not even close to being met by our university systems and handful of professional associations. Despite what a few experts will tell you, security is not black magic, but can be trained to a wide range of people from all walks of life. This needs to be a high priority from K-12, through vocational, university, and advanced education offerings that meet the needs of today and tomorrow.

5. Purchasing agents of the world unite, to agree to no longer buy software that has not been developed in a demonstrable and testable security development lifecycle, be it in a shrink wrap box, a gold master, or a 'secure' cloud. Self-regulating sources haven’t worked, so testing in a crystal box for all to see is needed.

And this just skims the surface... There are many more, and now is the time to work together on the biggest stage we’ve ever had, to make a real difference in the safety and security of all we hold dear.

I wish you the happiest of holidays, and I’ll see you again in 2011 !

1 comment:

Derek said...

I applaud your 5 viewpoints and especially would like to comment on the education of "cyber" professionals. Many schools are quickly jumping on this bandwagon as they see an opportunity to capture the "big bucks" these programs can bring. However, most programs I see are very inadaquate. They mean well, but many have simply relabled old programs or threw together a hodge podge of IT classes, sprinkled in one security course and call this a Cyber Security program. It is a start I guess. But they have a long way to go. Take this from a cyber security professional and educator trying to make a difference.