In the 1890s and into the early part of the 20th Century, a new way of travel was born. Initially called a â€œhorseless carriageâ€, this mode of transportation eventually changed the way that people practiced transportation.
Ironically, I doubt that you refer to the vehicle you have in your driveway or garage as a â€œhorseless carriage.â€ Instead, you probably call it a car, a truck, SUV or something else; some of you might even have named it (though, looking back, I never named any of my vehicles).
Does it matter if you call it an automobile and I call it a car, a truck, an SUV? Nope. What about vehicle, automobile or whatever marketing term you got? Not for a second. In fact, most of us couldnâ€™t imagine life without some mode of this transportation. Hopefully, we will work together to introduce a new framework that will transform the way we practice information security (not IT Security) in the future.
The Genesis of Security 2.0
Nearly 18 months ago, I started learning about a fledgling movement called Web 2.0. At the same time, I spend a lot of time working with clients and implementing solutions that felt flat, and starting looking for another way.
My personal mantra in life is simple,â€to change the way people think.â€ With that in mind, I set out to start building a framework that would allow me to consistently explain my research to clients to help change the way they practice security.
I decided to call it Security 2.0 because it was built on the concepts and lessons learned from studying Web 2.0. But now that Iâ€™ve been working on it and have started to share it, I have come to realize that what weâ€™re working on is bigger than a 2.0 name.
The framework of Security 2.0 consists of three dimensions:
1. Leveraging the elements of Web 2.0 that are effective to change the way we practice security. Simply, itâ€™s about DESIGNING security in a way where itâ€™s easy to explain and itâ€™s easy to understand and use. It goes FAR beyond technology and actually gets down to working with people and process to make a difference. Of course, once we have a solid understanding of the culture and the solution, then we mate the appropriate technology to meet the solution. Not the other way around.
2. Securing Web 2.0. Whether you like the term or not, and whether you think itâ€™s fad or not doesnâ€™t make it go away. If you consider yourself a true professional, then itâ€™s your responsibility as much as mine to work to INTEGRATE (and bolt-on) security into the new applications that keep coming out.
Letâ€™s debate Web 2.0 sometime in the future. Iâ€™m not suggesting that I love the name, but the new solutions are coming out, and our users are using them, without regard to security. If we blow securing Web 2.0, we regress as a profession. We have to lead the way in breaking this cycle.
More broadly, we need to really focus on securing â€˜emerging technologies and solutions.â€™
3. Preparing professionals to be successful leveraging this framework. Itâ€™s about how we think, how we present, manage, lead, work with others and the list goes on. I spent my summer proving these concepts in Fortune 50 companies. They work, and now itâ€™s time to expand.
The Value of Security 2.0 as a Framework
To me, the value of this effort is in the collaborative nature in which it is being developed and allowed to evolve. The efforts of everyone contributing to this will be shared in a way that provides them recognition. More importantly, the framework will be open for others and freely shared. Of course, a framework still needs to be reviewed, adapted and applied â€“ so creating and designing an effective framework is the first of an important series of steps.
The Name I Once Liked
I have to admit that all the attention focused on names lately has me a bit frustrated. I wish people would focus more on progress and less on names. The horseless carriage changed the world, and over time, the name changed with it.
While the goal with the Security 2.0 framework is nothing short of helping to change the way people practice information security, I have come to realize the name that had a simple start needs to change in order to be taken seriously and impact our industry.
As a framework, Security 2.0 is not really something to sell â€“ itâ€™s something to implement, to use, to practice. The inherent problem with calling it Security 2.0 (beyond the name being ursurped for ill-advised marketing campaigns COUGH COUGH Symantec COUGH COUGH), is that it allows itself to be rapidly updated. Whatâ€™s next? Security 2.5? Security 3.0? Security 4.11.23b?
This is a framework meant to aid the development of security solutions, holistic solutions, and to guide the way we practice and explain security to others. At the end of the day, if we stick with Security 2.0 as a name, we run the risk of diluting the value of the approach and of the effort. Clearly, that wonâ€™t do.
I also started test-marketing the concept with my clients. The name, by itself, did nothing for anyone. After an explanation over lunch, the concepts were clear and the approach welcomed, but the name still didnâ€™t ring true. In fact, I was told bluntly, â€œI cannot convince my management that we need Security 2.0.â€
The good news is that led, immediately, to a discussion of how to rename it.
The Value of Keywords
One of the steps that I have been exposed to in this process is to list out â€œkey wordsâ€ that capture the essence of what you are trying to do. Keywords should capture the essence, the drive, anything that really matters.
As a framework, here are some of the important elements as I see them:
Based conversations with the Trusted Catalysts and valued clients and friends, here are some of the keywords that have been kicked around to try to spark some ideas for new names for the framework:
Horizon, Security (Period), Revolution, Next Generation, Phoenix, Genesis, Bravo, Next Level, Generation S, V2, Fundamental, Shift, Overhaul
And here are some suggestions for how we can rename this into a framework:
- Integrated Security Practice Framework (ISPF)
- Security Advancement Framework for Everybody (SAFE)
How do you make a difference?
We need to stop talking about names and start focusing on substance.
A subgroup of the Trusted Catalysts has started to work on expanding the current framework. As soon as we get more of the details fleshed out (which we may do in our first conference in 2007), we will post it publicly. And thatâ€™s when the work begins. Weâ€™ll need to come together to review it, design it, improve it, test it and then start using it.