What all those flames can tell us about the Infosec industry?
The RSA Conference ended again bringing only a small bunch of interesting sessions and a lot of "anti-new-buzzword" products, just like the last editions. One thing that seemed to be different this year was the irascible state that a lot of professionals in the field are. I saw a lot of heated arguments during panels, discussions and even twitter discussions. Is it because we are getting more passionate about our work or is it just a symptom of the frustration of fighting an uphill battle?
I think this heated discussions show the push for change in deeply ingrained concepts in our field. The famous "High/Medium/Low" risk management fallacy, for example, is one of those. The ultimate trust in the perimeter and the anti-buzzword tools are also changing to something else. What are those things changing to? There are proposals and new ideas everywhere, but it's still not clear what will win in each case. But there are good hints out there. We have heard a lot about "situation awareness" and "meaningful data/metrics", among other things. Those are probably some of the concepts that will be taught as core components of information security to the future professionals.
Now, about that: how can we ensure that those things will be assimilated by major drivers of security education, such as the major certifications (e.g. CISSP)? After all, it doesn't make sense to talk so much about the next generation risk management and decision making methodologies if people will still be studying ALE to pass an exam. We need to break that cycle, ASAP.