When I was but a wee lad, I was given chemistry sets, electrical sets (low voltage, I promise), erector sets, and piles of books about the world and its inhabitants. Knowledge fueled ideas and experience was my guide. While I’m quite certain I didn’t have the scientific method mastered at the age of eight, I tried things. If they didn’t work, I’d try again. We need to start trying things in this industry.
A couple of years ago I was meeting with a few influential gentleman from the Department of Defense. The purpose of the meeting was to share product roadmap, but also to talk about ideas for the future. I remember distinctly that we were encouraged, as a vendor, to experiment and take chances. That’s tough for any vendor to do. But that’s the problem isn’t it? We really need to start experimenting again in this industry.
At the same time their advice makes complete sense. Here’s an example of how experimentation might work: What do you think would happen if we threw some XBRL wizards from the financial world (the SEC has mandated its use for financial reporting) in a room with some auditors and security practitioners. Let’em stew there for a while and see what they come up with. For kicks, we could add a scrum master and make them do four two-week sprints. Timebox them.
What do you think would come out of that? I’d bet that for less than $50,000 you could come up with a very plausible plan to define an information security reporting framework. For $100,000 you might even get the proof of concept out the door and into the hands of real-world organizations. Keep in mind that this particular example might serve to obviate the need for myriad reporting formats.
Disciplines aside from reporting in this industry would benefit from type of experimentation. We are full of knowledge and ideas, but we’re so bogged down in operational funk, that it’s difficult to let experience be our guide when it comes to testing our ideas. Another important aspect to consider is that XBRL comes from a domain that is distinctly unrelated to information security. Innovation and experimentation in cybersecurity can benefit from looking outside its domain – it’s quite likely that someone has solved some of the problems we are facing.
What do you think you could you do for $100,000 to advance the state of the industry? I’d like to know.