What is security? Is it a mindset? Is it a measurable and actionable posture or position? Or is it a bit of both? People, as a race, learn from doing; they learn by example. Ingrained into our psyche is a process that builds new information upon previous knowledge as we learn. As Isaac Newton said, “If I have seen further than others, it is by standing on the shoulders of giants.” Basically, we bring in a foundation of old information as we process new information.

But this does not always work in our favor, particularly in the area of technology. Technology has a way of exposing the flaws in past ways of thinking by filling in the gaps between human assumptions. Technology answers many of the questions that, frankly, were previously answered by ad-libs. I think the relationship between science and religion also exemplifies this quite well. As more technological advances are made, more things about the world that were previously explained by divine intervention, or magic if you will, are demystified. The people who came up with these answers were revered as some manner of guru and were held in a position of regard. Some were indeed gifted and contributed to the well-being of others with their insight and wisdom. And some were a bunch of jackleg gurus making up stories in the absence of wisdom, insight, and altruism—or they were simply snake oil salesmen. My intent is not to be prophetic, but rather to make the suggestion that we need to focus on making clear distinctions between the lessons that history holds that provide true value to information security (infosec) and the ones that are simply a bunch of crap.

A security strategy needs to plan for and respond to incidents as moving targets on a sliding scale. Vectors and targets will change as technology changes, and as revenue sources for criminals dry up, new ones will be scouted out. Attacks against users and modes of behavior in a home-usage environment will migrate to mobile scenarios as both individuals and businesses conduct more and more business via cell phone. But while the attacks change with the targets, what remains constant are the fundamental building blocks of security, which I believe are security in depth and least privilege. The reason for this is because I have been writing about this subject for decades now and these two security concepts have remained as reliable and dependable as they were years ago.