Are infosec pros complacent?

He said that the "old-timers" are satisfied doing the same things they have done for years. They write the same old policies, use the same old techniques, apply the same old rules. Second, he said that when these old pros get together in the hotel lounge at a conference, they just sit around, drink beer (I'm a port man, myself), swap tales and perpetuate the old ways of thinking about security.

I speak at about a dozen conferences a year and I see long-time friends and colleagues at most of them. I don't think I agree with this as a universal pronouncement. Lest I be seen as being complacent myself, though, I thought that I might give this some consideration.

There is no doubt in my mind, anyway, that there is a new breed of "young Turk" in the infosecurity biz. These folks are highly technical, well-informed and attuned to the new generation of tough regulatory requirements. They have grown up with phishing, identity theft, complex multilevel networks, ecommerce, etc. They can build firewall rules in their sleep.

A smart IT security graybeard will recognize this talent and put it to good use. My students all are experienced either in some branch of IT. Many fit the description of old-timers in our field, just moving on up to a new academic credential. Believe me, not one of these students is anywhere near to complacent.

It's time for us older security practitioners to start training the new breed. Not in security, though, as much as in the ways of "doing" security in a business environment. The next step for the young Turks who want it is where us old folks are now. It's up to us to give back so that when we retire (what's that?) they can step in and do a lot more than tune firewalls and VPNs. They may be the hope of their organizations in an increasingly unfriendly cyberworld. Now, waitress! Another port, please. Beer anyone? It's my round.