Security is dead

Is Security Dead, in the same sense as “Quality is Dead”, with reference to the formulaic, fashionable, industralised Total Quality Movement?

Does anyone else see the parallels between infosec and TQM? Both are Politically Correct, proselytising, fervent, and obsessively process-driven. In both quality management and security management we’ve seen a dizzying progression of ever fatter standards (the ISO 9001 and ISO 27000 series), ever more detailed corporate procedure manuals, and truly endless audits.

Want better quality? Want better security? Then you’d better write another Work Instruction and hold another training course! Invariably the response to every new breach is to remediate the security policy.

I see the early days of a long overdue security backlash. The ISO 27001 and PCI-DSS regimes are finally being exposed as robotic. The fad is passing, the hangover is palpable, and critical reappraisal of policy-based security management is imminent. It’s such a shame that the security audit industry wasn’t recognised sooner as a repeat of the quality movement two decades ago.