Well I don’t think you can and I’ve been working in IT security since the early 1990’s.  In those days, mentioning IT security to anyone usually elicited a response of being nonplussed (what do you mean data security?) or defensiveness (I don’t have security problems, how dare you insinuate…). Attitudes towards IT security have changed drastically since then, probably because of all the high profile leaks of sensitive data (helped along by slack attitudes towards security by world governments): Companies now place security as one of their highest profile projects.

That aside, IT security has changed in other ways too. One of the more recent consolidations of ideas in IT security, and a real move forward, has been around how digital identity and security are two sides of the same coin. More and more people are understanding that a digital identity is key to being able to associate a security policy with a data object – by doing this, it means that you can tailor polices based on a persons reputation so they can be much more pertinent to an individual - an example being that if you linked some version of a reputation level system to, for example, an Information card issued by an organisation, then that organisation could, in turn, tailor the use of that card by a relying party (for example the access system of a website or a data protection agent) so that the individuals reputation determines what they could and couldn’t access. It is a very simple concept (technically a bit more difficult). Organisations and companies are getting this, however, many in the IT security industry , the people who should be  most able to understand this concept, are not getting it.

I turn now to Pam Dingle’s experience with a man called Alex from RSA (see here: http://eternallyoptimistic.com/2009/04/26/rsa-2009-aka-dear-mr-kirschner/#comments). Pam is a renowned expert in the area of digital identity – remember the intimate connection between securing information and digital identity. Pam tried to get a pass to RSA because she is a blogger in the area of data security. Her blog is extremely informative and no doubt used by many people in IT security to inform themselves. Alex however decided that Pam’s blog wasn’t worthy of a pass into RSA, because she didn’t write about IT security. What hope is there  for the security industry to educate itself and innovate, when those who are supposedly deep in the industry can’t even work out what IT security is and can be – Alex, as Molesworth would say, you are a fule!

By the way, for people reading this outside of the UK – here is some info on Molesworth: http://en.wikipedia.org/wiki/Nigel_Molesworth