More-so in the past three months than I remember at anytime since the 'great cryptography wars' of the 90s, InfoSec has become overrun with Fear, Uncertainty, and Doubt (FUD).
Marketing pitches have somehow moved beyond guarantees of protection against APTs straight into Dragon Tear Mace. We're on the verge of bottoming-out and reconstructing our collective industry souls.
The next three years will be exciting times for our industry. And the first major breakthrough will be finding our pariahs.
Every major movement has a pariah moment that, whether remembered or not, change the approach of The People radically and quickly. In environmental activism it came from Bjorn Lomborg ("The Skeptical Environmentalist") and in military projection/geopolitics it came from Thomas P.M. Barnett ("The Pentagon's New Map").
You can endlessly debate the staying power and nuances of the messages but the bottom line is that the ~way~ people thought about problems changed significantly w/ Lomborg and Barnett.
You may not remember it well, but take a good look through Google News, LexisNexis, and Factiva. You'll notice the same, roughly, three-year cycle whereby a small vocal group of "thought leaders" responded that Lomborg and Barnett were idiots, naive, or liars. Then it slowly crept into The Economist, NY Times, WSJ, etc.
And finally, while simultaneously dismissing their contributions, people started sounded more-and-more like Lomborg and Barnett. In Lomborg's case it went so far as institutional character assassination later rebuked/reversed by larger Government investigations.
I think it beneficial to concentrate on Lomborg for the moment. In particular these three books which he wrote or edited:
- The Skeptical Environmentalist (2001)
- Solutions to the World's Biggest Problems (2007)
- Global Crises, Global Solutions (2009)
Specifics on each book's details or proposed solutions is not the key takeaway. The key takeaway was that Lomborg and contributing authors proposed using resource and fiscal economics balanced against measurable metrics of human well-being as the basis for ~all~ big decisions.
OK, so a bunch of you are going: "I do that! This is old news! Pfft, tell me something I don't know!"..
Yeah, you're probably right. I'd wager most of my Twitter friends actually think similarly to this already. And have for quite some time. However, the InfoSec Industry as a whole does not. And we need a voice or a few voices to totally shatter the "thought leaders" of yesterday. Of today even.
Who decided who these so-called thought leaders are? Where was this committee convened? Consider for a moment that encryption, courtesy of Bruce Schneier, is still quite frequently considered the end-all of security. It's been nearly two decades since "Applied Cryptography" and even Schneier can't shake this Ghost of Security.
Here is the good news… great news actually. Lomborg and Barnett had to come from the proverbial left field to make their impact. Our change is evolving internally due to a pervasive awareness of bigger issues (e.g. environmentalism and geopolitics) by practitioners in InfoSec. Our pariahs are already in place but not well recognized outside of our community. (I'm going to avoid naming names, unless asked directly, simply because it'd be unfair of me to singularly nominate some people.)
So here is what I'm proposing...
Take the community models that have driven InfoSec's greatest changes of the past decade. In particular a fairly new entry into the community, PTES (Penetration Testing Execution Standard), and base an outreach program on that model.
An informal to semi-formalized committee of peer reviewing open Wiki publishing InfoSec practice ideals. Things that can translate to Congressional Hearings, DoD Acquisition Guidelines, Insurance Riders, Mainstream Media, etc. etc.
Explicitly not built upon an existing certification or standards group. Not ISC, not Jericho, not SANs, nobody... something more organic and peer driven.
A group like this can take public perception and discussion in a better direction than either Anti-virus or new-fangled Anti-Dragon Tear's APT Conan Swords. A group like this can hold enough weight to temper the FUD of a few whoring repetitive messages in the press.
CNN, Christian Science Monitor, Fox, etc. need a more balanced message? We got it. Congress needs more reasonable perspective? We got it.
Yes? Can't this be done in a community driven, organic, and professional way? I do indeed believe so!
So who wants put their name in the hat as a prospective Pariah? It'll be the most fulfilling skewering you ever get. -Ali
Cross-posted from Packetknife's Space