Who should start the ‘data security revolution’?

After posting the video and opinion paper /javascript:; a reader posed a simple yet deep question.  GroogFish, in the YouTube video comments asked ...who is supposed to start this "revolution"?  As my response is a bit lengthy for the comments section of YouTube, I am posting here.

I believe everyone has a role to play and a responsibility to support steps for securing data.  It is, after all, OUR information.  To succeed, a data security revolution must be a community effort resulting in the development of an entire ecosystem, with standards, communication, and an open architecture.

Consumer demands bring attention to the problem and ultimately will drive features.  Regulatory bodies, dare I submit, can enact requirements which mandate changes to technology capabilities.  Hardware and firmware vendors are important in order to support new architectures.  Data management and processing organizations must be on-board to insure interfaces and storage formats of data are compatible.  Operating system and application writers are key players to utilize and enforce such controls at the host system and repository levels.  They develop the products which engage the user.

The information security communities are the expert advocates.  They must analyze the situation, stimulate conversations, guide changes, and engage in value assessment discussions to become the sharpened spearhead which leads the charge forward.  Traditional and social news media should also contribute to overall education and public awareness.  They must go beyond just reporting the breaches, failures, and losses.  We are at risk of becoming numb at all the stories, without a meaningful reference point or perspectives of significance which show how the situation can change.  The public must be better informed to the root problem, the industry opportunities, and the dark truth of where apathy will lead.

I would like to see a consortium formed with major players and international standards bodies to establish a framework for development.  Government, privacy, commercial, academia, technology, and security representatives should be represented at the very least.  Critical mass with the aforementioned groups must be established before enough traction motivates a commitment on behalf of lead players to allocate initial resources.  Alternatively, assertive academic bodies could work together and take a first step by developing recommended standards, architectures, and proof-of-concept systems.

Although some pieces to the puzzle are out there, we don’t even know what the picture is supposed to look like and no guarantees the available parts will or should be brought together.  Boldly, I believe we must enforce a tabula rasa to nurture a fresh start, otherwise risk poisoning from our natural presumptions of what we believe we know.  It may not be the most popular sentiment, but adopting refined solutions and attempting to bolt them together is a mistake.  Instead, we take the learned and proven principles of those solutions and integrate them at a strategic level to eventually lead us to workable end solutions.

Opinion paper: /javascript:;

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.