When the only tool you have is a hammer, it's tempting to treat everything as if it were a nail, wrote Abraham Maslow a few decades ago. Given this observation, it’s not surprising that most of today’s information security efforts seem to focus on networks and systems. Gunnar Peterson observed that this is because infrastructure is the "background and hobby interest of the majority of technical people in the industry."
In addition to the infrastructure security "hammer," our toolbox needs to incorporate the following elements:
- Domain expertise related to the industries and business functions supported by information security efforts. Security cannot function as a standalone discipline. Merely having technical security expertise isn't enough.
- Data and analytics for determining which security and risk management approaches actually work. E.g., Malware defense metrics.
- Application security skills to develop software with fewer vulnerabilities and to mitigate the risks associated with the flaws that find their way into applications. E.g., Building a Web Application Security Program by Securosis.
- Practical security guidance to individuals who interact with sensitive data. For instance, we need security awareness training that doesn't put people to sleep. For some ideas, check out SANS' Securing the Human blog.
- Security tools that work according to users' expectations and that are tied to the ecosystem of people and processes that rely on them. Security Scoreboard might be a piece of this puzzle.
- A "yes" mentality that positions infosec as an enabler of business processes ins a risky world. Too many security practitioners seem to strive for absolute security. E.g., security pros might be too cautions of cloud computing.
These ideas are congruent with the concerns I expressed when outlining the worrisome state of the information security industry. However, that note pointed out problems without saying much about solutions. Looking at ways of expanding the security toolbox might be a more constructive way of tackling the issues.
Update 2: In a follow-up post I offered my tips for how to Down the Walls Between Application and Infrastructure Security.