For the past several years, the information security industry has been saddled with labels annually. 2013: year of the breach; 2014: year of the BREACH (we really mean it); 2015 year of the MEGA breach (its gotten worse!). And with those labels every year I hear the phrase 'this is a pivotal year in the industry'. Is it really a 'pivotal' year when we say it every year? I think yes. But not in the sense it is intended. The implied meaning is a significant redirection of progress or a moment of monumental epiphany. I believe the 'Pivotal Years in Information Security' are more accurately described in terms of moving a heavy piece of furniture.
Ever move something really heavy by yourself? The armoire in your bedroom? That massive bookshelf in the living room? The only way for one person to maneuver something heavy is the old 'pivot' method. Everyone knows this move. Move one corner, move the opposite corner. Repeat as necessary as you slowly walk that behemoth piece of furniture across the room. You move that heavy object one step at a time. And information security is REALLY, really heavy - like armoire-on-top-of-the-bookshelf heavy. So the movement by each pivot in our industry is very small. Or so it seems.
This doesn't mean that important advancements and breakthroughs are not happening in our industry:
- The dialogue of information security has reached the executive conference room. Questions are being asked; budgets are being loosened; corporate objectives are being set - all due to a rise in awareness around the real threats facing companies today. Catastrophes such as Saudi Aramco and countless others have awakened many an executive making cybersecurity a board level concern.
- Discourse around the balance of privacy, security, legislation, regulation and the collective future of our technology universe is growing. Jennifer Grannick's keynote at Black Hat last week discussed this imperative. The debate around surveillance and freedom is becoming a frequently discussed topic. Layer on nation state actors and legal restrictions on security researchers and now cybersecurity is a political issue as well.
- Technology continues to evolve and innovate. There is no shortage of existing and emerging companies with interesting and significant visions in how to attack security gaps. And there is no shortage of digging into the technologies that are rapidly invading our world - most noticeably the vulnerabilities highlighted at BlackHat and DefCon last week such as the Chrysler Uconnect threat and the RSA research released on the Terracotta Army.
So what is the answer? We continue to slowly pivot the heavy object across the room. However if you really want to move furniture around your house, what is a better approach? It's easy - invite a few friends over, order some pizza and get to work. Hearing the phrase 'this is a pivotal year' for our industry should be a clue that we need to continue to collaborate, share information and communicate. One final note to consider: Moving that piece of furniture is not a matter of everyone grabbing hold and pushing and/or pulling. Without coordination and direction, you are more likely to cause more damage than anything. Every year is a pivotal year for information security. What part are you going to play?