We Can Dream in 2009

I am happy to be living, working and doing business in what will go down in history as the most significant time of technological change in the history of our nation.

In the late 1960s, a great American, who remains unknown to most of us, gave birth to what we know today as the Internet. This momentous event came as a great beacon of hope to thousands of scientists and computer nerds who had been kept hostage in their own private networks. It came as a joyous dawn to the day of communicating and sharing data with everyone on the planet.

But 40 years later, the freedom to surf the net we all anticipated, comes with great danger. The Internet is not safe. Carefree Internet surfing is sadly crippled by the manacles of spy ware, viruses, hackers, worms, phishing, and the chains of security ignorance. Forty years later, we live on lonely networks behind firewalls in the midst of a vast ocean of digital information. Forty years later, we languish in piles of spam and find ourselves in exile in our own email accounts. Forty years later, we pray at night that our very identities will not be stolen from us while we sleep. And so we search for an answer to our shamefully insecure condition.

In a sense we search for that magic bullet to make everything right. When the architects of the Internet wrote the magnificent words of the TCP/IP standards, they were signing a promissory note to which every American was to fall heir. This note was a promise that all men, yes, and women too, would be guaranteed the "unalienable rights" of "email without spam, online banking without identity theft and the pursuit of secure business transactions over the Internet." It is obvious today that the Internet has defaulted on this promissory note, insofar as those of us without expensive firewalls are concerned. Instead of honoring this promised security obligation, the Internet has given us all a bad check, a check, which has come back, marked "insufficient security."

But we refuse to believe that the bank of information security is bankrupt. We refuse to believe that there are insufficient funds in the great vaults of secure online transactions of this nation. And so, we will stand together to cash this check, a check that will give us upon demand the riches of a secure Internet and the justice of non repudiation for all.

We must also stand up at this hallowed point in history to remind American business of the fierce urgency for Information Security Now! This is no time to engage in the luxury of business as usual or to take the tranquilizing drug of gradual improvement. Now is the time to make real the promises of secure electronic transactions. Now is the time to rise from the dark and desolate valley of a false sense of security to the sunlit path of best practices. Now is the time to lift our companies from the quicksand of self-certification to the solid rock of third party validation. Now is the time to make information security a reality for all of America's businesses.

It would be a fatal mistake for our nation to overlook the urgency of the moment. The legitimate discontent of our nation’s law makers will not pass until there is an invigorating spring of business self regulation to a higher standard of security. Two thousand and nine is not the end of Sarbanes Oxley implementation or mandatory PCI compliance, but the beginning of international standardization. And those who hoped that the Nation’s regulators needed to blow off steam and will now be content are in for a rude awakening if they allow their companies to return to business as usual. And there will be neither rest nor tranquility in America until the public trust is regained. The whirlwinds of insecurity will continue to shake the foundations of our nation until the bright day of security for all emerges.

But there is something that I must say to my fellow security professionals, who stand on the warm threshold which leads into the palace of information security: In the process of gaining our rightful place in the board room, we must not be guilty of "Nick Burns the Computer Guy" arrogance. Let us not seek to satisfy our thirst for recognition by saying I told you so. We must forever conduct our struggle on the high plane of dignity and discipline. We must not allow our enthusiasm for embracing security to degenerate into a tunnel vision for technology. Again and again, we must rise to the majestic heights of remembering it’s all about protecting the business and not just buying the latest security gadget.

The marvelous new militancy which has engulfed the security professional’s community must not lead us to a distrust of all board level managers, for many of our management brothers, as evidenced by their renewed interest in due diligence, have come to realize that their destiny is tied up with our destiny. And they have come to realize that their very freedom from jail is inextricably bound to our ability to guide them on the path to full compliance.

We cannot lead the culture change to "Total Security" alone.

And as we lead the change, we must make the pledge that we shall always march ahead.

We cannot hesitate, we cannot lose faith, and we cannot turn back.

There are those who are asking the devotees of information security, "When will you be satisfied?" And I say we can never be satisfied as long as a single transaction on the Internet could lead to the unspeakable horrors of identity theft. We can never be satisfied as long as our business critical information can be stolen without actually going missing. We cannot be satisfied as long as our businesses depend on a connected supply chain. We cannot be satisfied as long as threats to our security are ever increasing while resources to protect our information are shrinking. No, no, we are not satisfied, and we will not be satisfied until "security awareness training rolls down from the board room like a water fall, and best security practices are embraced by all."

I am not unmindful that some of you have only recently come to understand "It’s about protecting the business" and not about defending the latest technology purchase. Some of you have come fresh from the trials and tribulations of reacting to the latest regulation. And some of you have come from the trenches of the security profession where your quest, your fight for security left you battered by the storms of management apathy and staggered by those brutal words, "What’s the ROI?" You have been the veterans of creative although not so quiet suffering. Continue to work and preach good security practices with the faith that your undeserved suffering is about to end. Go back to work in manufacturing, go back to work in healthcare, go back to work in financial services, go back to work in energy, go back to work in automotive, go back to work in defense, go back to work in insurance, go back to work in your chosen security profession, knowing that we stand on the threshold of a new day when our Nation’s security posture can and will be changed.

I say to you today, my friends, let us not wallow in the valley of insecurity.

And even though we face the difficulties of today and tomorrow, we can still have a dream. It is a dream deeply rooted in the release of the International information security standard, ISO/IEC 27001:2005.

We can dream that one day all companies will have information security policies and procedures in accordance with internationally recognized best practice.

We can dream that one day e-commerce can be conducted without fear because "We hold these truths to be self-evident, that all information security management systems are created equal."

We can dream that one day even the small company, sweltering under the heat of insufficient funding, can be transformed into a security trusted business partner.

We can dream that one day soon less time and money can be spent on security assessments and where "Certified once, accepted everywhere" is the rule.

We can dream that one day the acceptance of your security program will not be judged by the latest client visit, but by the scope of your ISO/IEC 27001:2005 certification.

We can dream today!

We can dream that one day, the big company "silo" approach to solving compliance issues; will give way to a holistic, risk based security and privacy process.

We can dream today!

We can dream that one day every company’s security status can be measured to internationally accepted criteria resulting in mutual recognition.

We can dream that one day soon our cries for security awareness will fade away because due diligence, best practice and risk mitigation will be on the hearts of all managers and employees.

This is our hope, and this is the faith that we go forward with.

With this faith, we will be able to carve a stone of hope out of the mountain of neglect. With this faith, we will be able to transform our company’s’ disjointed approach to information security into a beautiful symphony of best practices. With this faith, we will be able to teach together, lead together, gain certification together, keep our board members out of jail together and stand up for security and privacy compliance together, knowing that we will be heard one day.

And this is that day -- this is the day when all security professionals must stand up and sing a familiar tune with 
new lyrics and a new meaning:

And if American business is to be secure, this must become true.

And so let security ring through the very policies of every company in our great nation. (A.5)

Let security ring through the way we manage our organization. (A.6)

Let security ring through the way we identify and protect our information assets. (A.7)

Let security ring through the way we screen, train, manage and hold accountable our employees. (A.8)

Let security ring through the way we prevent unauthorized access and compromise to our assets. (A.9)

Let security ring through the way we manage communications and everyday operations. (A.10)

Let security ring through the way we assure only authorized access to our information. (A.11)

But not only that:

Let security ring through the way we acquire, develop and maintain our information systems. (A.12)

Let security ring through the way we manage security incidents. (A.13)

Let security ring through the way we assure the continuity of our business. (A.14)

Let security ring through the way we assure compliance with statutory, regulatory or contractual obligations. (A.15)

From every boardroom, let security ring.

And when this happens, when we allow information security to ring, when we define our scope, list our assets, identify the risks, create the mitigation plan, select the security controls, sure up our policies and procedures and define the continuous improvement framework, we will be able to speed up that day when we can become ISO/IEC 27001:2005 certified and all the businesses of the world will recognize our ISMS and rejoice to the tune of that familiar song:

                Secure at last! Secure at last! Thank God Almighty, we are secure at last!