I went to a medical school graduation last night, and the keynote speaker gave a speech wherein he pointed to three things that were changing the way medicine is practiced. The first was the sequencing of the human genome, the second was the IT revolution, and the third was the fact that medicine is now being treated as a market commodity. While all are interesting, it was his comments on the first factor (the human genome) that bear some commonality with information security professionals. For millenia medicine has been a reactive science. Someone gets sick, so doctors try to find a cure. Although the human genome is clearly not the only think to bring about a change in the way medicine is practiced, it was pointed to as a major landmark in the shift of medicine from reactive to proactive. Doctors can now know ahead of time if someone is at high risk for certain conditions, and begin treatment before a patient actually exhibits symptoms. (I know this is an oversimplification, but it’s the principle that matters).

Information security has been struggling with a similar transformation for several years now. Everyone seems to realize that reactive information security is not the way to go in the long run, yet not many people can figure out how to get away from it. We’re still stuck in our test-patch-repeat mindset. Maybe we need something similar – something like the sequencing of the human genome – to shake things up.