Is IT Security/Technology Risk Management a discipline or an art, is it subjective or objective? ( Is information technology deterministic or just overly complex? )
Are IT systems and frameworks closed systems? What comparable frameworks or systems (through which value transits) must defend against sentient attackers who attempt to subvert, control or disable services?
Can organisations quantify the value of information in motion or at rest within their managed footprint? Can they independently verify/audit the flows and data objects present? Somehow the bad guys have a better appreciation for CPU, disk and BW and SERVICE than we have!
Does it come down to simple economics? How to incentivise and penalise?
Surely 'Critical Infrastructure' should be held to extremely high standards by an independent body of technical auditors?
Does it really come back to accountability? Do we/they/us/them need to get burned badly (which the miscreants don't want either!) before we are enlightened...
Can the little guys afford the head count of the big boys? (big boys who actually sometimes have *less* of a clue about their systems than the little guys in the first place!). Is it possible that sink-holing traffic centrally in the cloud will give us the visibility/control we have hoped for? Thin offices perhaps staffed with 'thin' people :)
For me it comes back to a simple paradigm. You can't manage what you can't measure. We need to return to atomic units via reductionist thought. This is what I hope shall come with cloud and utility computing. Can you or the cloud provider "afford" NON-integral CPU, DISK, FLOWS, BW, KILOWATTS... runaway code.. such that it now becomes a billing issue? Once IT shops in enterprises start properly implementing "charge-back" rather than a flat rate service we may see some changes.... this coupled with a metric/cost applicable to shared infrastructure such as network fabrics, DNS, NTP, control planes etc...
How can we secure a service when we can't even charge for a service?
Billing 2.0, Utility 2.0, Employment 2.0