Information security is not a static process–you cannot “lock down” information the way the Air Force has tried to do, prohibiting all flash drives because it has failed over decades to actually embed security in every aspect of the process from human to download alerts. Interactive feedback loops are simple and effective. Winn Schwartau pioneered time-based security and risk-based security. Now if we just accept the fact that 80% or more of the information we need to be effective is not secret, not in English, and often not online at all, this represents a 180 degree turn away from the current focus on centralized cyber-security to the exclusion of all else (such as mission effectiveness). As Russell Ackoff put forward: we have been doing the wrong thing righter, and are about to spend $12 billion doing the wrong thing righter, instead of going ALL STOP and redesigning all systems, human to technical, around M4IS2 (multinational, multiagency, multidisciplinary, multidomain information-sharing and sense-making). One can no more merge all the Serious Games into one World Game than one can merge all the stovepipes into one “all-source” system. We have to do a clean-sheet requirements review and design for M4IS2 success, otherwise we automatically default to more of the failures that NSA and its various contractors are so notorious for….
Robert Garigue, CISO Briefing