Core Point: Done properly, security enables MORE risk-taking, allows one to do MORE with LESS. In other words, cyber-security policies that are risk-averse instead of risk-enabling are, in a word, retarded and retard the enterprise. Case in point: Wikileaks leading to no more flash drives–what SHOULD be in place is all the flash drives one wishes, but embedded security that prevents or flags abuse of those flashdrives.
Core Point: It is not possible to have centralized cyber-anything if both the human end-users and all of the (multi-media and multi-lingual) data is distributed. This is especially true of security, which is historically several steps behind mission area processes to begin with, and any form of top-down “regulation” that tends to appear after the fact rather than “just in time.”
The issue that Dr. Garigue articulated as well as anyone I have seen is that Information Security is not just security or just information. I have [this] slide printed out hanging above my desk for several years.
Most security people struggle with this concept, and try to separate these two concepts, and if they do, they miss two very important issues. First, they miss the opportunity to look at security as a business enabler. Dr. Garigue pointed out that because cars have brakes, we can drive faster. Security as a business enabler should absolutely be the starting point for enterprise information security programs. One excellent example of this is identity federation, which enables an easier integration across companies and technologies and puts stronger identity credentials on the wire in the process. Secondly, if your security model reflects some CYA abstraction of reality instead of reality itself your security model is flawed. I explored this endemic myopia in a seriesofposts on decentralization and security. JSB and John Hagel taught us that intgeration and friction cannot be separated, attempts to do so lead to confusion and disorder, and this is the heart of the issue Dr. Garigue's work is articulating. If your business and systems are decentralizing with both hands, and your security model is predicated on centralized, iron fisted control, then the only place your security model works is on the whiteboard.
Phi Beta Iota:Buckminster Fuller and Russell Ackoff nailed it–everything has to be evaluated in relation to energy source and cost and time cost, and you have to focus on doing the right things, not doing the wrong things righter. Where Mr. Pickens went wrong was in sticking with the centralized ownership concept. Wind power and solar power are best for localized applications. The central grid–the Industrial Era top down control grid, is DEAD. Similarly, water and sewage should not be centralized grids demanding massive investments in collection and processing. The graphic to the right shows corruption in the center–when analytics and decision-making lose their holistic integrity, they inevitably fail to achieve the desired outcome while creating cascading costs everywhere else. Military spending in the USA is at the beginning of a nose dive–our military leaders would be wise to get a grip sooner than later, and “beat the dive” by making evidence-based decisions (Advanced IO) sooner than later. Now a really advanced thought: 21st Century national security is about eradicating corruption at home and abroad–this makes possible the creation of a prosperous world at peace. The breadth of that challenge is in the graphic below. That is an IO challenge, not a kinetic challenge. IO must be co-equal to kinetics beginning immediately. In our humble opinion.
