You might not know David Lacey by name but if you\u2019ve worked in infosec his work will be very familiar to you. He\u2019s often called the father of the ISO 27000 standards for Information Security Systems Management.I had an opportunity to talk with David Lacey at the recent AISA conference. We spoke about the current state of information security and the challenges facing vendors, users and professionals trying to make it all work.\u201cThe problem I see is that security professionals are not allowed to practice real security. If you practice real security you\u2019ll say \u2018Get those people off the network\u2019. If you do that you\u2019ll be sacked and be unemployable,\u201d he says.As a result he says information security professionals \u201cgo native\u201d and say that they are being \u201cbuisness aligned\u201d.Lacey says "But what they mean is they\u2019ve gone soft and not standing up to the business.The business doesn't want to do security. Nobody in their right mind wants to spend money on security when you can blame IT when it all goes wrong\u201d.Security professionals need to challenge the business more rather than bending to their whims.Lacey agrees with another AISA speaker, Jane Frankland on the importance of gender diversity in information security. When running large security departments, such as at Royal Mail, he often preferred to hire women as they were better negotiators."Women tend to be more tenacious, they\u2019ll use a bit of charm and have perseverance. They won\u2019t take no for an answer and they won\u2019t be bullied as much as men\u201d.One of the other problems Lacey identified is that many consultants are not much more than \u201cspreadsheet operators\u201d. Although they have spent a lot of time identifying issues by looking at data they aren\u2019t problem solvers.\u201cWith all the tick-box stuff we have, we\u2019re breeding a generation of young consultants with no problem solving ability of skills\u201d.When it comes to the role of users, Lacey says the systems we use aren\u2019t designed to allow users to make mistakes. He contrasts this with aviation where systems are built with the expectation that mistakes will be made so appropriate controls are baked into the design.\u201cIn security we don\u2019t do that. If your password gets stolen or you get socially engineered - you\u2019re screwed,\u201d he says.Another challenge is that we have \u201cblame culture\u201d says Lacey."In security, nobody every does anything until something goes wrong and then they sack somebody to show they\u2019ve ticked the box, blamed somebody for it and then board is blame free\u201d.In contrast, Lacey says safety inspectors look for the underlying root cause.\u201cIt won\u2019t be the person. Why did the person make the mistake? Maybe he was put under pressure, not trained properly or not out in the facilities. Let\u2019s fix those problems and not have a blame culture\u201d.People want to get things right but they aren\u2019t given the right education and opportunity he says. In particular, Lacey says many education programs are very condescending and unsophisticated.When it comes to vendors, he says they don\u2019t really have research labs that develop true solutions.\u201cThey tend to jump on a big bandwagon, whether it\u2019s big data, AI, immune system concepts - a lot of this is marketing. What we are seeing is a lot of identical solutions being developed by everyone\u201d.Lacey also pointed a finger at the numbers of false positives many systems generate. For example, while there were alerts generated during the 2013 target hack, Lacey says it\u2019s possible so many alerts were generated that it was simply impossible for the real problem to be easily identified. And, because of the real alerts were buried the CISO was sacked.\u201cThere\u2019s a problem with the usability of these tools\u201d.Lacey\u2019s most recent work is a massive undertaking. He is working on a database that joins physical objects and actual processes directly with compliance systems. While many say standards foster a lowest common denominator approach to security, he says that by linking compliance with real activity we can make compliance far more valuable.\u201cIf we can ask ask real questions about real things and record information about real events, activities and objects then that might work\u201d.Ultimately, Lacey believes his invention will be able to automatically scan a network and automatically complete, for example, an ISO 27000 questionnaire. However, it will work with other standards so that compliance checkboxes are managed automatically and security teams can focus on solving the bigger issues of usability and resilience.