RSA '09: The 'blessing' of homeland security

San Francisco - "Dude, it's a blessing."

That was the unhesitating and enthusiastic response of Dr. Hugh Thompson, chief security strategist of PeopleSecurity, the specialist in enterprise security education, when GSN asked him how he felt about the elevation of cyber-security to a fundamental pillar of homeland security.

He had just finished a spirited discussion, with an audience of approximately 150 attendees, at the RSA Conference, now underwayhere, about lessons IT security could draw from other industries.

Why hasn't IT security progressed further? GSN asked him. "We are so damn young," Thompson replied, adding that in some other industries "an armageddon had to happen" before changes were instituted.

Plus, the cyber-security industry hasn't done a good job of marketing security to its users," he said. "Why is that?"

One reason may be that there is no independent third party that's "accountable," in the manner of the FAA in the airline industry.

Airlines, he observed, may lose luggage and delay flights, yet the flying public generally accepts that flying is safe. One of the reasons is that the pilot flying the plane is considered both a "trusted user" and a "motivated user," said Thompson. "We don't have that," he added.

Another possible factor is that "security really isn't taught as a foundational skill" at most universities, he observed, adding that, in fact, he himself teaches such a class at Columbia University.

Another area where security is still lacking is in its standards of training and awareness, and that means potential changes in accreditation. "Are we headed to mandated certification," with additional government regulation of the industry ahead, he asked.

One audience member suggested that, as in some other industries, IT security needs to "stress" its systems until they fail, then it needs to analyze the results and
learn from them.

Thompson agreed and also noted that airline regulators and the airline industry study crashes intensively, examining black boxes and so forth, to learn from them. And in medicine, doctors and hospitals regularly convene "mortality and morbidity" reviews to understand the causes when patients die.

"That's something that's missing in our space," he said.

When one audience member suggested the arcane physics process, straight-out-of-science-fiction, called "quantum entanglement" as a way to ensure password security, Thompson looked amazed by the possibilities.

"Dude," he said, "I smell start-up." (source)