If you want to be the next best thing in information security, put aside all those cloud security manuals you're...
brushing up on. Clear your desk of all those pesky regulations and forget trying to interpret compensating controls and whether they'll fill a compliance checkbox for you. Forget firewall rules, encryption key management, and APT. If you wanna be a rock star, figure out how to bring oversight and direction to your profession.
Figure out how to weed through the various and sundry definitions of cybercrime, cyberwar and cyberespionage and stop the confusing juxtapositioning of those three very different notions. Tell us how to reduce the signal-to-noise ration for that trio, and more importantly, clue us in as to who should respond to each, and how.
These are indeed interesting times.
Things are happening in information security… er, check that, things are becoming public knowledge in information security that indicate a rapid maturation and recognition of the importance of what you do.. We're starting to see what focused, organized groups of criminals and political and military organizations can do with cyberweapons. We are understanding that the same cyberweapon used to take down a banking website, could be the basis for a more powerful tool that could inflict damage on a critical infrastructure. My zero-day vulnerability that is open to a SQL injection, could be your zero-day that spins a uranium-enrichment centrifuge into oblivion. No other industry works this way; faulty Toyota gas pedals won't shut off electricity to the West Coast of the United States.
You wanna be the next security rock star? Figure out how to respond in a big-boy voice to this dynamic. Realize that criminals are opportunists and will move on to the next target if your security is too strong. Realize that a state-sponsored intelligence operator probably won't move on, and instead will jab and poke and probe until he ruptures your defenses (that's what money and patience will do for ya). Realize that while yes the attacks might be the same, the risk aversion and ultimate response might be totally different. For years you wanted to be heard, well this is your time to shout.
This is a turning point, an inflection point -- and the point is that this opportunity for security professionals, practitioners, and experts cannot be wasted. Since the start of 2010, we've had Operation Aurora, Stuxnet, HB Gary, the further development and sophistication of the Zeus Trojan, and several countries on the brink of revolution taken off the grid. The Internet is a platform not only for economy, but it can be used for anything society can dream up; even crime and warfare. And it's been done at a speed few dreamed possible a decade ago. Today is the time for legislative and executive guidance. Serious discussion has to be held on ground rules of incident detection, response and reporting beyond the four walls of your corporation.
Maybe you knew that, for example as in the case of Stuxnet, an infected USB stick could derail a country's nuclear program for a half-decade. Maybe you knew that the cat-and-mouse game between the U.S., China and Russia over intellectual property and strategic national documents has been going on for years. Maybe you knew that security companies were running clandestine operations for the U.S. government.
The bubble on your self-contained world of network security and compliance reporting has burst. Information security is going to go mainstream; hell, even Stephen Colbert riffed on HB Gary. And funny thing, this is what you wanted all along. It used to be you wanted a regular sit-down with the CEO to explain why what you do matters. Data breaches and the resulting compliance made that scenario real. Don't wait for another incident get out in front of this. It's time too for the security industry to turn its visibility into a positive, flex some muscle and make sure the right people have the right information to make the right call.
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to firstname.lastname@example.org.