"Can we look for a bayonet?"
That was the simple request of my daughter as we started a stroll through a local flea market (big in Myrtle Beach).
It struck me as an odd question. Turned out that my son, reading everything he can get his hands on, had taken a bunch of books about WWI out of the library. The two of them, together, had educated themselves about trench warfare, and wanted to see what a bayonet looked like.
While searching, unsuccessfully, for a bayonet, we shared a remarkable conversation about how wars and fighting have changed. It was the kids who pointed out how odd it would be to use a bayonet today.
That simple statement put our security efforts in focus: many of the technologies and approaches relied on dogmatically across the spectrum of information security were largely developed in a different time, facing different challenges.
What we call the Internet changed the world. In the process, both have evolved. Security has not yet evolved with it. It's like relying on trenches and a bayonet against a modern army.
I recently sat on a panel with people working on these approaches, professionally, before I was born. And they lament that they've been "fighting the same battle" for over 40 years without success.
While I prefer to avoid “security as war” analogies, this time it works. Changes over the last 40-50 years dictate a change in strategy, technologies and tactics.
Some similar challenges persist, the nature of the world in which we live, the ease of bad actors, and the changing nature of business suggest that the industry needs a different way to offer “security.”
It's time for security to evolve.
This drives the need to create, measure, and effectively communicate value within the organization. Evolution demands security align with the business instead of fighting against it.
This is a break from the silo approach most organizations practice today. For security to be successful, it must be integrated. To be integrated, the value it offers must resonate on an individual basis while aligned with the needs of the organization.
To get funding, security efforts must increase the value of the organization. Demonstrating that value requires a different approach to communication; it means learning to ask different questions, understand the business and avoid confusing jargon.
Ultimately, security needs to change approaches to influence behavior change in the organization.
It's a hard change. It'll likely involve a lot of teeth-gnashing, complaints, and protests. Those who make the turn quickest are likely to yield the biggest returns.