A Post-Compliant World? – Part 1

Over the next three articles, we will consider the past, present and future state of infosec compliance. Please note that these are personal views, not necessarily shared by past employers.

Introduction

My security career began at a time when data security was just a niche subject of little concern to anyone other than specialists. It has bridged to the present, when everyone has to be concerned about their own information because anyone, anywhere is now a potential threat to it. Between these two extremes the attempts, particularly by governments (I worked for one) to ensure compliance were utterly transformed – to the extent I believe we now live in a post-compliant age.

In this new world, security will always have to play catch-up with the latest security incident, to the point that the emphasis must shift from identify/detect/protect/respond to recover.[1] I hope you’ll agree that it’s always useful to sometimes look back, so we can more effectively learn lessons for the future. We must do as much as we can to avoid the same traps of complacency and over-protectiveness that I believe were features of infosec for years. We need to learn to stop fighting the last war.[2]

A Short History of Security

I started security compliance checking during the mid-1980s, before the word “infosec” was ever heard. My job during those years was about “physical and documentary” security, a simple world where standards of compliance were quite easy to judge: the doors were locked, check; all the papers on a file were there and any copies were accounted for, check. The keys to cupboards and doors were all in place, and everyone in the office seemed to understand what they had to do to keep things secure. As if to underline this simple, unchanging environment, our compliance (Read more...)