As I posted last week, with the rise of Web 2.0 and specifically Gov 2.0, now is a terrific time for the security community to surge ahead in innovation and create sustainable solutions for the next generation of platforms and users. This week we’ll look into the final two points I have to share prior to the Summit.
The fourth point is that Web 2.0 has brought back is a discussion of truth and identity in a way that becomes a more tractable issue for the security community. Somewhere along the way we got lost in absolutes — it must be secure, your identity must be fully attributable, trust must be implicit/explicit and 100 percent guaranteed. And yet, there has never been a completely impenetrable system. Identity is contextual, it changes over time, and past performance is not indicative of future results. The same can be said of trust and trust networks/relationships. Web 2.0 practice and principle gives us new insight into how you can scale big systems and manage security and identity in a way that doesn’t require absolutes or static interpretations of assurance requirements. It also provides new mechanisms to deal with the community’s perception of privacy and security in a way that both raises the bar AND informs the security practitioners as to the risk tolerance of both the user community and system owner that is both productive and in realtime.
Fifth, we need to start making real security data available and using it to make better decisions and better systems. We’ve got a terrific start with consensus models like the CVE, CVSS, CWE, and others. What’s needed now is for system security designers and developers to make the leap beyond trying to build the next great security application and focus on building the next truly amazing security platform. Systems that can adapt to planetary scale requirements and are valued by those outside the security community not just as enablers, but as capability multipliers. We need the Facebook, Google, or Twitter equivalents for the security community. Systems that leverage the practice and principle of Web 2.0 in the service of Gov 2.0. After all, keeping all the “security-relevant” data to ourselves decreases its value almost instantly while putting data in motion creates value and improves the risk environment for everyone.
With just these five points, you see that the role of the security practitioner is likely to radically change in the coming years. With more security being built in and not bolted on (and legacy systems protected by the infrastructure on which they reside), a more capable developer community, active worldwide government involvement, and opportunities to gain new insight into risk tolerance and practices that work (science, not applications), we really need to ask ourselves how we can capitalize on these tip-of-the-iceberg trends to further tip the scales in favor of the good guys.
I think having the security community embrace Web 2.0 and Gov 2.0 is what is sorely needed both to give the security community its mojo back AND start delivering on its promise to enable people and organizations to thrive in cyberspace safely.
Your thoughts and comments are welcome.
Subscribe to this blog's feed
Comments