URL :

Print Icon  Printable Page
Print Icon  Web Page

November 2002

Infosec's New Accountability

BY Thornton May

Let's see, what are my prospects for accurately gauging trends that will impact information security over the next few years? What do the thinkers I admire have to say?

Futurist Al Toffler observes, "The future arrives at the wrong time, in the wrong order, and no straight-line extrapolation is ever accurate." Hmmm.

As if that's not discouraging enough, this one could plunge me into despair: Harvard professor Clayton Christensen suggests, "Stop trying to predict the trajectories of disruptive technologies, because predictions just won't work."

If we can't extrapolate, and we can't predict, what options remain? We can still give it our best shot. At the risk of being presumptuous--if not prescient--I present five über-trends that I believe will make a difference.

  1. Growing middle class awareness of "digital ignorance." The sleeping giant of societal change--the middle class--is waking up to the fact that they need to know more about their computers. Just as the first "accidental" farmers changed behaviors from hunting and gathering, it's inevitable that "primitive" computer users will ultimately evolve safer information management behaviors. The Darwinist forces of information natural selection are beginning to exert themselves. However, good security practice has not yet become a career success genome.

    Sociologists believe that society lacks "digital common sense." Evolutionarily speaking, this means we are currently "unfit" for our environment. It's time for enterprises to design self-help security education outreach programs to help users and trading partners evolve to a more fit set of behaviors.

  2. Increased impatience over lack of progress. Frederick Jackson Turner's Frontier Theory explains that once Americans know where they want to go, they want to get there in a hurry. Unfortunately, most organizations don't have a map of the information security frontier. There is no "there" there.

    People are increasingly dissatisfied with the lack of progress in cybersecurity. The rubber chicken circuit is littered with single-shingle consultants flogging lame FBI/CSI stats telling us that things are getting worse. Off-the-record conversations with board members and "C-level" executives reveal an almost unanimous dissatisfaction with the current practice and practitioners of information security. The "suits" have begun to personalize the corporate cybersecurity problem--they blame the incumbent.

    The potential consequences:
    • Rapid turnover in the CISO position.
    • Reactionary "make-us-safe" infosec legislation.
    • Anger-based outsourcing decisions.
    • Succumbing under time pressure to vendor promises of "silver bullet" technical solutions.

  3. Emergence of a new kind of security leader. Infosec used to be a "guy thing," dominated by men with backgrounds in physics and mathematics and retired military officers who served in the signal area. The high ground in security management is no longer technological. It's behavioral. CISO-type positions are increasingly going to be filled by women, often with an undergraduate degree in the sciences and an advanced degree in the social sciences.

  4. Emergence of new, less technical approaches. Just as it's wrong to treat patents as so many equal units of inventiveness, it's wrong to equate the number of security devices in the technical arsenal with safety. Most modern enterprises have over-entrusted the basic functions of information security to technical tools, creating an information security "missile shield."

    Technical systems have been designed by geniuses to be run by idiot users. The new design goal of information security will be to make devices dumber and end users smarter.

  5. Growing tension over product liability. Stanford law professor Joseph A. Grundfest observes, "We have engineered large parts of our system on an assumption of trust that may no longer be accurate." Historically, we only bought features and functions from software vendors. They weren't responsible for the ensuing benefit stream and certainly not responsible for the security of the software. Users now want the vendor to shoulder some of the responsibility, and the vendors are squirming. Vendors who are unwilling to change will open the door to those who design software with security in mind.

THORNTON MAY is a futurist whose research helped create the rules-of-engagement for the contemporary CIO. He is an executive education faculty member at the Graduate School of Management at UCLA and teaches the "IT Strategy" course at University of California at Berkeley.




November 2002 Table of Contents

Copyright 2002 TechTarget