As someone who has spent the vast majority of their working life in information security, to say “Lets get rid of security”, it sounds like I’ve lost the plot if I’m suggesting that we get rid of it. The world is more connected, more complex and more attacked than ever, so surely we need more security, not less. Hear me out…
The problem with security is that it is a “thing”. It is something other. It is an addition, a bolt-on, a layer, a wrapper. What it isn’t is embedded. We still treat security as something that we have to do in addition to, or in competition with, other processes that run our business.
- We have our IT team. And then we have IT security.
- We have our facilities team. And then we have physical security.
- We have our HR team. And then we have personnel security.
Sometimes the security function is part of the underlying team, and then we complain that it isn’t independent.
Sometimes the security function is independent of the underlying team, and then we complain it doesn’t understand.
See what I mean?
As long as we continue to make security separate to business, the only winners will be the vendors selling this year’s solution.
If we really want to ‘Make the World a Safer Place’, then we need to absorb security into all business processes, and finally get rid of it!