Wrong on both counts, I would say. First, it's highly relevant to your security assessments: the threats and exposures of your security profile are changing – ever faster as the sun rises on the new Information Age. And because it takes a long time to develop, justify and implement new countermeasures.
Do not believe those security gurus who preach that your countermeasures should be based on historical incident data alone. Such information is a powerful tool to highlight trends and determine short-term priorities. But it will not tell you what will work in the future. And it might even indicate that your existing measures are worthless if the threats they were designed to counter have not yet been encountered.
So how can we better predict emerging threats and exposures? Some would say it's impossible, although I disagree. There are techniques for understanding the future, or at least identifying the important challenges that we are likely to experience over the next decade.
Let's take technology. Most of the products that will emerge over the next five to ten years are predictable since it takes a long time to research, develop, fund, build and implement new technology. Such technologies must be sitting in a research lab today.
We also know a lot about the characteristics of the Information Age. Alvin Toffler and others have written numerous books on the subject. In particular, we should note the impact of the "Network Effect".
Networks are the first major construct of the Information Age, perhaps equivalent in significance to the factory to the Industrial Age. Networks change business by cutting through corporate perimeters. They change society by breaking down boundaries between personal and business lifestyles. And they change security by introducing new forms of asymmetric threat. All of this must be factored into the security architectures you are designing today.
If we want to make the most of the opportunities around the corner, we must rethink our approach to security.
Perimeter control is unsustainable as a single level of defence. VoIP will make this worse. And wireless services don't respect physical boundaries. We need to re-engineer our security perimeters to safeguard the assets that really count – the data and applications – rather than the infrastructure.
By building stronger security controls into applications, we can liberate users, exploit low-cost public infrastructure and work more closely with our business partners.
And isn't that a future we all want to see?
