By Jim Reavis

In the perfect world as defined by information security practitioners, there are no surprises.  Viruses and malicious attacks bounce off a secure infrastructure.  New applications are rolled out only after extensive security architectural vetting and exhaustive testing.  CISO reports to the board show continuous organizational improvement.  Everything works according to plan.  In this world, the sun emits only harmless radiation, and gives off a soft light that masks my aging features.

In the real world, chaos reigns.  The papers are filled with incidents, and even if you aren’t in a high profile organization, the time in a day spent chasing your tail is a lot more than the time you spend pondering the future.  As a CISO said to me today, we work to prevent what we can, and react to the rest.  As I survey the information security threats we are facing today and for the next couple of years, it seems inevitable that bad things will happen to good people with solid infosec programs.   The technology gap (e.g. botnets borne by Web 2.0) between the criminals and our defenses fluctuates over time, and it seems as though that gap will be fairly wide over the next 1-2 years.

If you want to think about allocation of infosec resources, my recommendation is to turn the dial over to the side of being reactive, not to eliminate proactive planning, but to make sure you are able to respond quickly.  Having a world class incident response capability is where you need to be, tell your boss to anticipate the bad news and make sure you can react quickly.  Being good at reacting is actually proactive, isn’t it?

Related posts:

1. Some Wishes for 2008
2. U.S. Government under Siege
3. The RSA Hangover
4. Macbook wireless device driver insecurities allow remote compromise
5. Ready or Not, Here Comes 2007!

Posted by Jim.Reavis on Tuesday, May 1st, 2007, at 10:58 am, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.