This talk is broken into 3 succinct interwoven topics.
#1. Culture – (Our Backstory) We build our leaders to deal with failure as a painful event. Should we fire someone that is involved in an incident? What if the person does it again? The damage is done, the pain is suffered, the person who is ‘fired’ or who’s performance review is subject to this, has perverse incentives. That doesn’t work. Culture plays a role in our work lives and how we treat failure serves as the backstory for much of this talk.
#2. Regulation – (Our Villan)… Our government may drive our industry into regulation. regulation. The attempt to bring some level ‘of sameness’ through laws, and the government has been attempted before. No one will go into a plane that falls out of the sky, seat belts or car designs also save lives, does software follow? Is regulation villain, friend, or foe?
#3. Transparency – (The Jedi) We are not learning because our industry doesn’t share, how do we expect to fix the issues if from the top down bottom up we aren’t learning?
Our industry has enjoyed a pretty deregulated environment for the majority of its existence. I believe we have ways that have worked in the business world that could translate to the security world… or maybe there are ways that come from the safety world that translate to the security world? Either way, if we don’t act at some point our industry will face deep deep regulation as we will not have proven that we can collectively govern ourselves.
Call to action and calamity ensues.
Moses Hernandez has been working in IT Security since the late 90’s. He has spoken at various security conferences and has been an active member of the community since the early 2000’s. He is a SANS community instructor and currently works for Cisco Systems. He calls South Florida home. Find all his social media at about.me/moseshernandez.