At first glance it felt as if some author is trying to get attention by using controversial heading but as I read the post, I realized author <quote> drafted most of the original text that evolved into ISO 27002 and achieved the world’s first accredited certification <unquote>. Yes, it’s David Lacey (Director of Research, ISSA-UK) expressing his views on the current state of security.
Today’s ISO standards are based on a body of text created over twenty years ago. In fact, aside from a sprinkling of security technologies, which you can count on one hand, nothing really new has emerged in the lifetime of today’s security managers.
…..
The traditional Swiss Cheese model of defence in depth is falling down. It’s not just methods, standards and technologies that have failed to keep up with a changing threat landscape. We also lack the communications and psychology skills needed to influence security attitudes and behaviour across an extended community of networked staff, customers and suppliers.
But he also suggested solutions (i.e., what has worked or might work) -
The Global Security Challenge encourages and rewards innovative security technologies……Virtualisation transforms the infrastructure from both a user’s and an attacker’s perspective…….Trusted computing also offers huge potential for eliminating a large slice of the risk landscape, through reliable, automatic device authentication and data encryption…….One thing is certain: We need much greater vision and investment in new security technologies.
