The Way Forward for Information Security

Every system has within it the limitation that it cannot exist unto itself. The big problems of Information Security will remain intractable as long as industry participants continue to focus inward.

For the past year or so, I have noticed that, at the same time that security technologies are reaching a certain degree of maturity, security projects remain highly prone to failure. Information Security seems to have struck a ceiling in its development. The tools that we have at our disposal – authentication, monitoring, etc. – seem to be adequate when properly implemented. But proper implementation does not happen enough of the time.

Some time ago, I started taking excursions into the world of Project Management. Certain colleagues of mine had encouraged me to look into PMI’s PMP certification and so I did. What I found astounded me. No one that I have encountered in the Project Management world (I visit lots of meetings PMI and Agile professionals) had a clue about Information Security. My knee-jerk reaction was to deride the PM’s for their naïveté. But then I recalled conversations with InfoSec people about Project Management. Their attitude was not merely one of ignorance, but of distain for the Project Management as a whole! Let me qualify this statement by saying that there exist a few InfoSec experts who appreciate the value of Project Management, and even a few who actually know how to manage projects. But generally, my conversations and research in both worlds, PM and InfoSec reveal that these two communities are almost entirely unaware of each other.

The tools now exist; the craftsmen are capable and ready to build great security. But the plans elude them. Worse yet, the craftsmen usually insist that planning is to be avoided. If we, as a profession are to advance our effectiveness throughout the industry , we must extend our understanding into fields of knowledge that will allow us to create those plans.

In the days and weeks ahead, I will present one way forward for Information Security, from dependence upon tools and individual experts, toward managing teams that achieve results that exceed what has been left to individuals.