I think this heated discussions show the push for change in deeply ingrained concepts in our field. The famous "High/Medium/Low" risk management fallacy, for example, is one of those. The ultimate trust in the perimeter and the anti-buzzword tools are also changing to something else. What are those things changing to? There are proposals and new ideas everywhere, but it's still not clear what will win in each case. But there are good hints out there. We have heard a lot about "situation awareness" and "meaningful data/metrics", among other things. Those are probably some of the concepts that will be taught as core components of information security to the future professionals.
Now, about that: how can we ensure that those things will be assimilated by major drivers of security education, such as the major certifications (e.g. CISSP)? After all, it doesn't make sense to talk so much about the next generation risk management and decision making methodologies if people will still be studying ALE to pass an exam. We need to break that cycle, ASAP.
No comments:
Post a Comment