I'm starting to think that we, as a people, have devolved to the point of losing most of our basic survival skills. If you spend any time driving the crowded roads of a major metropolitan area, or passing through airports and their associated screening processes, or even just pay attention to the news and some of the incredibly idiotic things that people are doing these days (Baptist "missionaries" trying to steal kids from Haiti, Pennsylvania schools surreptitiously spying on students via issued laptops, or even the current state of mindless politicians being directed by their corporate masters), then you might understand what I'm talking about.

This thread absolutely applies to infosec and the business community. It seems decreasingly likely that businesses are doing what is absolutely necessary to protect themselves—and, more importantly, to ensure that the business continues. I'm not talking about business continuity in the BCP/DR sense (though that's certainly a part of the big picture). I'm thinking, quite simply, about fundamental attitudes and behaviors that reflect a general lack of awareness about viable threats to the business and continued success.

What we really need is a wake-up call of some sort. A call for sanity and forethought to return to business. A call to move away from short-sightedness and a shift back to long-term thinking that builds commercial value, benefit, and profit for much longer than three months at a time. Similarly, enterprises need to adapt a mentality that puts a premium on the survivability of the business; for example, by acting to defend against reasonable threats and establish reserves that preserve operations in the face of contingencies.

From an infosec perspective, this should translate into a few common-sense practices...

Stop talking about traditional "risk management" as some sort of magical rubric or panacea.
Start talking about threat modeling and legal defensibility.

Stop using ad hoc approaches to security architecture and solutions.
Start adopting a holistic ISMS-like approach.

Stop delegating ownership of security to IT or other non-business leadership.
Start requiring executives and board members to own and take responsibility for security.

Stop relying on shortcuts to survive audits.
Start demonstrating actual due diligence by adopting a reasonable standard of care.

Stop looking for ROI to "justify" security.
Start thinking of security as a business enabler that facilitates better decisions and helps protect the business during both good and bad times.

This looks to be a good year for a return to rational thought. It's time to reawaken a sense of self-preservation in ourselves and our businesses. To survive is success in and of itself. Accomplishing that goal means building an environment that is resilient to changes, threats, and whatever else may try to shake the business to its core.