EAC Blog: The Age of Research Accountability

Submitted by Mike Rothman on Fri, 2006-07-21 14:47.
::

The folks at TechTarget were kind enough to let me republish the posts from my two weeks on the Expert Answer Center here on my own blog. This post first appeared at the EAC on July 3 (link here).

Welcome to my two-week stint in the Expert Answer Center. Over the next two weeks, I'll provide commentary on what is going on in the realm of information security and try to provide some "incite" to get you thinking about ways you can make your environment more secure. One of the things I find most offensive about IT research is the lack of accountability.

You know what I'm talking about. Inexperienced analysts make ill-advised market projections and the end users that actually take their advice are left holding the bag. Does anyone ever go back and really track whether these folks are full of crap? Does anyone ever call these folks out for just being wrong? Sadly, the answer has been no.

When I started Security Incite back in January, I wanted it to be different. I wanted to add value and help end users make better decisions about how to secure their environments. I want to make the tough calls, even if they are unpopular. I expect to be held accountable for when I made stupid projections. Yet, there is no independent body to keep tabs on folks like me, so I decided to do it myself.

The first thing I did was publish a set of "Incites," or trends of what I expected to happen in 2006. Those Incites are attached to this blog posting. I got some great feedback on those initial perspectives and I knew some would be close and others... not so much.

Most folks revisit their projections annually, but I didn't think that was often enough. So I committed to evaluating my Incites twice a year. You can find the Incites Redux series that I posted to my personal blog here, here, here and here.

As you can see, some of my thinking was right on the money, especially relative to UTM, compliance, and security management. My ideas on application security and security education still have a chance, but clearly haven't happened to the extent I expected.

But if there is one thing I'd like you to develop over the next two weeks, it's an appreciation for the value of good industry analysis. Maybe I'm being a bit presumptuous relative to what is "good," but at a minimum you deserve someone to tell you when they hit the target, and when they don't. That much I promise -- so fasten your seat belts -- we're going to have a fun ride.

2006 Security Incites and Predictions