Pursuing
Security In An Insecure
World
Last
week I attended a very different kind of briefing. It was organized by one of those mysterious Washington
consultancies (CSIS) and an association of high tech firms (ITI)
that’s been around for years and has recently gone higher profile
around the issue of security and IT.
A
number of prominent IT industry spokespeople, including Nick
Dinofrio, VP of Manufacturing for IBM, and Bill Gates, Microsoft’s
Chairman and Chief Software Architect, spoke to a mixed group of
government managers, analysts, press, and IT industry colleagues.
There
were the usual discussions:
 |
Who
should be in charge of what?
More particularly, when should the government be in
charge and when should industry or user organizations make
security decisions. Interestingly,
a certain amount of tension was clear, with a representative
of NIST (the National Institute of Standards and Technology)
asking industry representatives for input to standards and
industry execs asking for guidance.
It appeared as if everyone just wanted to do something,
while being able to retain the right to blame someone else if
things didn’t work out.
|
|
What’s
the right thing to do? Unexpectedly,
one of the best presentations of the day was by an unscheduled
speaker, John Hamre, President
and CEO of the host, CSIS, speaking on Homeland
Security, Domestic Surveillance, and the Right to Privacy.
He made the very smart observation that we may be
making the mistake of making the haystack bigger, rather than
doing the hard job of looking for the needle in the haystack
(that is the terrorists who may be hiding in the U.S., waiting
to do their evil deeds).
|
He
meant that many of the current government initiatives are aimed at
collecting more and more information on more and more citizens (or
visitors), without logical analysis of the relative value of that
information – or the means by which we might examine it on a
timely basis. His
real point is that we should probably be looking at identifying the
much more limited information we actually need to get the job done
because it would be less costly to collect and much less intrusive
to collect it.
There
were also interesting panels of industry executives chaired by Steve
Lohr of the New York Times and Steve Levy of Newsweek.
Security is and should be a top priority with IT
executives. But we need
to use tough analysis to look at our vulnerabilities and our
priorities. We also
need to stop talking about the need for more security and to start
doing something about it. Too
many surveys show that we do a lot more talking and worrying than
implementing. Maybe if
we did better analysis, we’d be able to see the real size of the
job (the needle, not the haystack) and be ready to take it on.
(back to top)
