I was delighted-although also somewhat surprised-to read your column of April 27, “Infosec, You’re Doing a Heck of a Job!”  The article depicted (I think accurately) the existence of a considerable chasm between claims espoused by the information security research industry (as exemplified by the RSA Conference) and the considerably less sanguine assessments of the capabilities of practitioners to prevent exploits and breaches (as reported in The Wall Street Journal and other media). I was surprised, though, by your bleak assessment: “…information security is in the worst state that it has ever been.”
I would like to raise issues concerning your summary of the current state of information security, explore some of the likely reasons for the research chasm, and speculate on possible relationships between the two.
First, is it true that InfoSec is “in the worst state that it has ever been”? Judging from the reportage emanating from Siobhan Gorman and others, there seems to be evidence for such a claim. But, I wonder if the publicizing of high-profile incidents is itself the major reason we think that information security is becoming more ineffective? In the 1980s, for example, there were virtually no discussions of “computer security” in the popular press. But then, in the 1980s, there was also no widespread use of untrusted networks (such as the Internet) and no statutes and regulations concerning the control of identity theft or computer-borne invasions or privacy. Instead, as you undoubtedly remember all too well, we had the problem of controlling access to MVS and other mainframe systems. This was pretty dull business for mainstream journalists. (Although, of course, we didn’t call them “mainstream” then.)
Oddly, even though the scope of their responsibilities in the 1980s was rather narrow, information security practitioners did not have a sense of their being effective and proactive agents, dutifully protecting critical information assets. Instead, there seemed to be merely ceaseless complaints. Internal auditors inevitably identified problems with access control, systems programmers and application developers maintained that InfoSec was needlessly “handicapping the hired” with overly rigorous controls, and senior managers often had problems justifying the very existence of security staffs. (After all, most of the real fraud was occurring by insiders who manipulated manual procedures for nefarious purposes; real computer fraud in the private sector seemed to be a rarity.) Practitioners were frequently reactive, rushing from fire to fire, and hoping that new crises would not emerge before the embers of the old had at least become nonthreatening.
Now, is the state of information security truly worse than the state 25 years ago, or have the stakes simply become higher because our technology supports a greater number of critical systems and the points of vulnerability are more numerous? I would submit that the field is still essentially driven by the same reactive, crisis-resolving mentality that prevailed decades ago. However, the current technical, legal, and political environment reveals, more starkly and in a more public manner, the inadequacies of this reactive mentality.
Second, your discussion of the chasm between the claims of InfoSec researchers and the realities of on-the-ground information security practice deserves close examination. In your article concerning “BSIMM: Top Ten Surprises,”  you mention that the authors of BSIMM developed a listing of several “surprise” findings as a result of their research. One of these, it seems, is especially relevant: “Researchers, consultants and reporters care more than practitioners about the who/what/how of attacks.”
Now why, do you suppose, is this the case? And why, in a broader sense, does it seem that InfoSec practitioners are often ill-informed concerning the research conducted by government agencies, by universities, or by not-for-profit organizations (such as BITS)? I think there are many answers to this question (including the lack of well defined channels of communication between practitioners and research communities). However, among the most important factors would be a seemingly obvious observation: Information Security is a profession, a field of study, and-a job.
Most InfoSec practitioners have jobs within financial, educational, governmental, medical, or industrial institutions. These institutions are bureaucracies, requiring constant attention to various administrative and other tasks that facilitate the day-to-day operations of the organization. Information security professionals are not immune to the need to perform these operations. There are always time sheets to complete, emails to read and write, employees to supervise, budgets to negotiate, service provider contracts to examine, projects to manage, reports to compile, and meetings (always meetings) to attend. Many of these tasks-including managing projects and preparing budgets-will have a direct influence upon the quality of information security services provided within the institution. Other tasks, however, may serve the needs of bureaucracy but diminish the time and energy that could otherwise be devoted to the effort of securing information assets-or of attempting to develop an au courant familiarity with recent research developments in the field.
Practitioners in virtually all professions complain about the drain of “paperwork” upon their productive time. Police officers, teachers, physicians, attorneys-virtually everyone who works-bemoan the seemingly unproductive effort that is required to prepare reports and attend meetings required by their respective bureaucracies. But this venting should not be met with a mere shrug of the shoulders: These administrative duties do often serve as distractions from the real jobs to be accomplished. Theorists in the fields of management and organizational behavior are continually attempting to investigate this phenomenon and develop new ways to allocate time and resources in such a manner that productive time is maximized. We can only hope that, one day, these theorists will develop practical solutions that have real influence upon the workplace. But the record to date is not promising.
Of course, Warren, you see where this is going. As you (and, judging from recent press releases, President Obama also) have noted, the proliferation of vulnerabilities in public-and private-networks and applications has also increased risks and the likelihood of unauthorized disclosures. Yet, the working environment of most information security practitioners remains inextricably linked to a mindset characterized by reactive response to crisis. This linkage is further supported by a work environment in which the administrative requirements of bureaucracies, requirements that do not necessarily enhance the quality of services provided by InfoSec professionals, are also increasing. Simply put, practitioners have less time to devote to an increasing number of vulnerabilities and exploits.
It would be pleasant to imagine that the work of Information Security consisted of developing ever more effective methods of protecting critical infrastructure and information assets. Certainly, the research community, mainstream and electronic journalists, vendors, regulators, auditors, and even, now, politicians, seem to assume that this is the case. But, among all these voices emanating from the powerful-even from, as you mentioned, the RSA Conference-there is yet another powerful, if less public, assertion. This assertion insists that information security is not merely a vital function but also a-job. If only the requirements of the job always neatly complemented the work of the profession! But it happens far less frequently than we hope.
Perhaps you-or our readers-have some thoughts to share concerning the day-to-day practice of information security and how, in the midst of our meetings, memos, and time sheets, we may aspire to better things?
Thanks for your attention,