I have to say that it's been off mine, of late; the economy, efficiency of operations, and innovation have been things which have taken up more of my focus recently. But off my custom security-related RSS feed this morning I hit upon a post from the handler on duty at SANS Internet Storm Center with the attention-grabbing title: Are We Doomed? Well, if that doesn't serve to refocus one's mind, I don't know what does!

The post is a simple laundry list by security consultant Lenny Zeltser of SAVVIS comparing positive ("we're saved!") and negative ("we're Doomed") trends in security, and his title comes from the fact that he came up with more negative than positive. This surprised me a bit, quite possibly simply due to my own inattention... I've been feeling fairly bullish on security recently, with no real reason behind it. I've been aware of most of the trends on the "doomed" list for some time... there's nothing new really, from the increasing size of botnets to the increasing professionalism and criminality of malicious attacks. Unlike Zeltser, I've felt them to be reasonably within the OODA loop of the security community... manageable, in other words, in-hand despite the occasional individual corporate compromise, meaning we're not actually "doomed" as we might be if the threats were developing and evolving faster than the responses.

While I'm happy to acknowledge my own lack of expertise when it comes to security (although, even at that, I feel as if I am more aware of it than many in the industry) I don't find the Doomed list all that persuasive. While it may be numerically superior, qualitatively I feel as though the advances made by the industry and listed in the Saved column represent considerable advances over the forces of darkness. We've seen any number of security breaches, particularly egregious ones resulting in the loss of masses of personal data or high-profile web defacements, in recent years. My sense of them, though, has been that they are generally examples of poorly defined policies and poorly executed practices. They do not, in other words, represent the consensus approach of security best practices today, and instead are a failing of leadership rather than theory. Security seems to be absolutely capable of addressing the common threats in the Doom column; the desire or ability to implement it appears to be what is failing. But it seems by nature to be a failing which is corrected quite naturally in the course of events.

It's far too soon to call security a "solved problem" and it probably always will be. And like many things, security runs in cycles, some favoring the attacker and some the defender. But how do you feel? Are we doomed, or do you as CIO feel that you have security well in hand at the moment?