Core Point: It is not possible to have centralized cyber-anything if both the human end-users and all of the (multi-media and multi-lingual) data is distributed. This is especially true of security, which is historically several steps behind mission area processes to begin with, and any form of top-down “regulation” that tends to appear after the fact rather than “just in time.”
The issue that Dr. Garigue articulated as well as anyone I have seen is that Information Security is not just security or just information. I have [this] slide printed out hanging above my desk for several years.
Most security people struggle with this concept, and try to separate these two concepts, and if they do, they miss two very important issues. First, they miss the opportunity to look at security as a business enabler. Dr. Garigue pointed out that because cars have brakes, we can drive faster. Security as a business enabler should absolutely be the starting point for enterprise information security programs. One excellent example of this is identity federation, which enables an easier integration across companies and technologies and puts stronger identity credentials on the wire in the process. Secondly, if your security model reflects some CYA abstraction of reality instead of reality itself your security model is flawed. I explored this endemic myopia in a seriesofposts on decentralization and security. JSB and John Hagel taught us that intgeration and friction cannot be separated, attempts to do so lead to confusion and disorder, and this is the heart of the issue Dr. Garigue’s work is articulating. If your business and systems are decentralizing with both hands, and your security model is predicated on centralized, iron fisted control, then the only place your security model works is on the whiteboard.