As an armchair student of the big transitions that happen in the IT industry, I've learned that the hard part is getting your mind wrapped around a relatively new perspective. We, as technologists, tend to focus on how things work, rather than what they might mean.
For example, the internet isn't really about packets and DNS so much; it's about what can happen when connectivity becomes ubiquitous. Tablets and smartphones are really about when consumption becomes ubiquitous as well.
Cloud isn't about sterile NIST definitions, it's what happens when IT organizations realize they're no longer a monopoly and have to compete for the business.
Big data isn't a capacity problem; it's really about learning a new form of creating value from massive amounts of information.
Get the right perspective on a specific transition, the rest becomes mostly a matter of evangelism and execution. Fail to get the right perspective, and you won't make much progress at all.
And so I enjoyed reading the recent findings of the RSA-sponsored Advanced Threat Summit.
The Back Story
The latest challenge on the security front isn't necessarily an exotic new threat vector: it's the attackers themselves. They're organized, well-resourced and patient. And there's no silver technology bullet to effectively combat them.
If you'd like to read my quick backgrounder, it's here.
Although I am most definitely not a charter member of the IT Security Inner Ring, I do watch closely how the discussion is evolving here, and it appears to be moving very fast indeed.
Many historical precepts about how to think about IT security appear to be quickly falling by the wayside. IT security organizations are now re-thinking how they're organized and how they think about their job. And all sorts of newer technologies are getting pulled in alongside more traditional ones.
It's A Good Time To Be Talking
During periods of rapid transitions, meaningful conversations between key stakeholders are incredibly valuable. Towards that goal, RSA and TechAmerica recently sponsored an invitation-only Advanced Threat Summit with a list of participants and speakers that reads like a Who's Who In The Security World.
The good news? You can get a quick synopsis of the key findings here. The better news? Interest in the topic is understandably sky-high: you'll be seeing more events being scheduled before long.
It's An Interesting Time To Be An IT Security Professional, Too …
Most IT security pros I meet tend to be under-appreciated, working tirelessly in the background to protect valuable information assets. For many organizations, coming up with an enhanced approach to IT security is now front-and-center. IT security managers are now being asked to be IT security leaders.
It's not an IT discussion anymore; it's becoming a business discussion.
But, if I'm being honest, my impression is that more than a few IT security professionals will need to step up their game to be effective in this new world.
That's not good. People outside of the security world need to understand what's going on here, and why it matters to them.
The sometimes-alarmist tone of external communications has to give way to a clear-headed and sober view that there's a new class of problem out there, and organizations are going to have to invest in a new class of responses.
There will be good days, and not-so-good ones. There will be no perfect solution.
Inevitably, business leaders will need to invest the tools and processes to understand and mitigate the new class of information risks just like they understand and mitigate financial risks, geopolitical risks, legal risks and so on.
And in one sense, the new security discussion really isn't all that new :)