Network guys are already dealing with downtime and metrics. Why can't security be part of that group? Shorten the loop," says Edward Schwartz, former CSO of the Nationwide insurance companies. He says companies should reduce security as a discipline and embed the security team in the other departments, like journalists in Iraq, with just a small CISO's office to coordinate and strategize at a high level.
Christofer Hoff, CISO of WesCorp, a credit union in California, has already integrated his network ops and security teams. "We're baked in now, not painted on," he says. "On its own, infosecurity is thought of as this group that's scratching for budget and throwing technology at the problem. As part of an integrated network/security team, we're a unit to invest in." He is convinced that IT should "stop building its business around what the wiring closet looks like".
That's exactly what Rick Roy, CTO of CUNA Mutual, recently decided. He went to his board's audit committee (with the CSO) and proposed a radical change. "We suggested that we forget the old moat-and-castle model of defence," says Roy. "The new model we'll focus on is a complex shopping mall, with multiple points of entry and exit. In a castle, either you got to cross the moat or you didn't. Here we say: 'Come on in, but before you get into stores, I need to know more about you. And the less I know, the more doors that are locked'."
Roy's networking/security team is restructuring his network based on this new model, though he doesn't even believe that all the technology he needs to make it reality has been invented yet. "By the vendors' own admission, they're a couple of years away, so we're a couple of years away from sleeping at night. But we're going in that direction."
End Amateur Hour
Licensure is so prevalent - one can't fish without a licence - it's hard to understand why it hasn't come to the Internet yet. Or to programming. In fact, one of the most prevalent Big Ideas we received was to license programmers. Make them sign their code. Make them take a Hippocratic oath. Professionalize the profession. "Make computer science college students take ethics classes," says United States Olympic Committee CIO Becky Autry. "Technology ethics. Business ethics. Life ethics."
In short, create professional standards, which in turn raise the bar on what gets developed and its level of vulnerability. At some point, like with bridges and skyscrapers, you could use these services without much worrying about their integrity.
"My first job was as a technical investigator of engineering failures," says Oracle's Davidson, wondering why such a job doesn't exist for software. "We don't have building codes. I worked in construction management in the Navy. I remember we used to X-ray welds. The welder had a licence too. And you still X-rayed the welds. We don't have that on the Internet."
If All Else Fails, Regulate
I know I'm using the R-word," says one CISO, "but this is the fundamental problem. This is a market failure with no consequence in law. What we're heading for is [a] major disaster. Then afterward, we'll have to do regulation anyway. And it will be overreaching, emotional and bad."
He's not alone in his opinion. In the US, even regulation-phobic congressional Republicans have been suggesting that the current state of information security can no longer go unregulated.
The Big Idea seems to be to emulate the Sarbanes-Oxley Act: Force companies to report to the Securities and Exchange Commission compliance with an information security standard based on the International Organization for Standardization's ISO 17799 or something similar.
But mandating software security may be just the beginning. Other ideas floating around include: Internet postage to effectively dam the torrent of spam and mandated security functions built into computers the way seat belts and air bags are built into cars; another source suggests that companies handling sensitive transactions be required to diversify the portfolio of technology they use (just as brokers diversify financial portfolios to offset risk), forcing companies to use more than one operating system.
"The US government's on the warpath right now," says Paul Proctor, a vice president of Meta Group. "I've watched organizations blow off security for 20 years. [Regulation] makes companies move. It costs them money but the reality is, they're not doing this stuff, and they need to be forced."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.