Sam Dekay

An Open Letter to Warren Axelrod: Yes, InfoSec, You’re a Heck of a Job

Now, is the state of information security truly worse than the state 25 years ago, or have the stakes simply become higher because our technology supports a greater number of critical systems and the points of vulnerability are more numerous?  I would submit that the field is still essentially driven by the same reactive, crisis-resolving mentality that prevailed decades ago.  However, the current technical, legal, and political environment reveals, more starkly and in a more public manner, the inadequacies of this reactive mentality.

Second, your discussion of the chasm between the claims of InfoSec researchers and the realities of on-the-ground information security practice deserves close examination.  In your article concerning “BSIMM:  Top Ten Surprises,” you mention that the authors of BSIMM developed a listing of several “surprise” findings as a result of their research.  One of these, it seems, is especially relevant:  “Researchers, consultants and reporters care more than practitioners about the who/what/how of attacks.”

Now why, do you suppose, is this the case?  And why, in a broader sense, does it seem that InfoSec practitioners are often ill-informed concerning the research conducted by government agencies, by universities, or by not-for-profit organizations (such as BITS)?  I think there are many answers to this question (including the lack of well defined channels of communication between practitioners and research communities).  However, among the most important factors would be a seemingly obvious observation:  Information Security is a profession, a field of study, and-a job

Post a Comment

Your email is never published nor shared. Required fields are marked *