The whole of information/cyber security is founded on the idea that we can defend ourselves into security. But in the history of competitive endeavours nobody has won by playing defence alone. We have this idea that we can wrap our users and systems in enough padding to protect them in a world where guns exist. We’ve leaned so hard into this idea that we’re on the floor and it’s time to look up.
In a recent keynote at BSides Cape Town I explored this idea and tried to convince people both that defending harder is an idea with a diminishing ROI, and that we instead need to use law enforcement to impact the problem at its root cause – the criminals. Most in infosec believe and operate as if this is neither their job nor a worthwhile pursuit. I want to change that. First by convincing you that it’s worthwhile, then by helping us understand how we can orient our activities to better invoke law enforcement.
I’d love you to watch the talk and let me know what you think. Because it’s an idea that needs experimentation and practise. Can you include some of this in your strategy for next year?