Until you put an end to the status quo, the rest of the world (namely China) is happy to move on without you.

I used that in the most general sense. I suggested to Adam a while ago that he should get a precise definition from Guy Kawasaki; it was his article.

If one were to use the terms that Kawasaki did as a simple definition, something that worked 10-15 TIMES better rather than 10-15% better, I think that paints a picture of something startling, or ground shaking.

In infosec, I don’t think that something that is an improvement in vulnerability scanning or automated patching etc, would qualify. Those are incremental improvements. Protecting systems with vulnerabilities that have no patch, or can’t be patched might or without the need to patch, might.

I’m going to reply to some points in more depth in another blog post, but quickly:

@Anton — sure, I’ll grant you that there’s a lot of research that doesn’t really advance the state of knowledge (“idiocy” as you call it), but I’m more interested spawning a few meaningful, game-changing research initiatives than I am about filtering the full range of research projects to reduce the amount of “idiocy”.

@Rob — can you be more specific about how you’d define “second curve”? If you look through the references I listed, I think you will find that they *all* point to the need for research that is fundamentally different than current research directions.

@PhilA — thanks for your support! I’m trying to be part of the solution. Rather like Archimedes, I’m looking for a place to stand so that I can then try to move the world!

@Peter — when I said “wide-spread”, I was really thinking about all the recent committees, commissions, brain trusts, etc. who have looked long and hard at why InfoSec research hasn’t been more successful. They all come to similar conclusions, and often repeat each other. This is especially true in interdisciplinary areas like metrics, economics, usability, and policy. But outside of these thought-leader groups, you are right that the broader community doesn’t share the vision or the specifics.

@Luke — I wouldn’t equate “experts” with “Pioneer Fellows”. It’s not just smart people thinking deep thoughts. As I listed in the post, I think the Fellows would have to be skilled at making things happen across sectors, as well as being leaders and evangelists.

@SteveD — I hear you, brother! I’ve heard that story dozens of times. Once the trails have been blazed by Pioneers then it will be much easier for individual researchers and students to find attractive, interesting, and also *feasable* projects for theses and dissertations.

While this may be a little different for doctorates, the Masters Thesis, once reality sinks in, was all about a quick hit of incremental change to just get it done, and possibly publish a high level paper. I believe that’s one of the reasons there are still quite a few papers being produced on NIDS. However, there are some interesting new areas that are borrowing from other disciplines just like data mining in the past: swarm intelligence, biological systems, etc.

As stated, we have plenty of problems to go solve, its the way research is done that may be the problem. In my day job, which is a forward looking security architect, and my night job which is security research towards a Thesis, I still don’t have true support in solving anything on those lists.

I don’t think that the conundrums that face IT Security are going to be effectively addressed by freeing up the time of security experts or pioneers. As you say, we need need solutions and the only group who can make meaningful changes are IT solution providers. I would vote for funding people in such organisations to produce better solutions.

Improving the state of IT Security will require a great deal of co-operation and behavioral changes that experts in the field are not well-suited to lead or execute. By and large I would say that we don’t need any more brilliant ideas, or at least we have enough work getting through those that have been provided over the last 20 years.

What we do need is better policy and processes execution – use good passwords, don’t lose your unencrypted USB stick, know who access your data and why, follow secure programming principles, don’t follow arbitrary web links, and so on.

It’s not so much that we need more time from experts, but more time from all the non-experts.

rgs Luke

Spaf thinks the solution is a bunch of money for people who look like him. Industry is trying to sell kit. Even the good people in academia seem to work on flawlessly incremental stuff. The last time I went to Oakland they were building telescopes to read LCD screens around corners.

Sorry for the negativity. I really admire what the book and this blog are trying to do. I think forums like this might be the best hope to make progress. Data: yes. Evidence: yes. I wish there was widespread acceptance of those needs, but I’m not sure I see that yet.

Anyone that can shed light on the new direction and the new models to address the current and foreseeable risk can change our course. Do not give up and share your findings. Many of us are defending the fort and relying on the research to help guide us.

Nice post. Inspired, but tired, because as you say, years of talk and millions of dollars later, what does the security industry have to show for its efforts?

You say there is widespread agreement about what needs to be done, yet nothing gets done and there are no solutions. Maybe the agreed upon direction is at fault?

I don’t know if you ever caught my Amazon review of the New School, but I expressed a theory that no amount of effort in the current direction will bring success, and I explained why. The current security model is broken and no number of incremental improvements will fix it. Should we be shucking one more quarter for more sorry efforts?