Years ago information security or cybersecurity was in the hands of specialists, which set the rules and the users had to follow – in theory. Whether the users really followed the rules, policies and recommendations is a different story but it worked that way. I rarely remember a CIO/CFO or CEO really being interested in security – until things broke.
Today, life is different. If I look at the public space, a lot of people want to talk about cybersecurity in one way or another, a lot of governments across the globe started cybersecurity initiatives etc. This is a really good development as societies will run into huge challenges if technology fails but it poses some new challenges as well:
So, what needs to change? In my opinion, different things:
Therefore, we mainly need to change the way we communicate outside the core set of security people. We need to leave the bubble and make our knowledge accessible to business people in a pragmatic way and understandable…
Security needs true randomness, as you can see in content.wuala.com/.../Security%20needs%20True%20Randomness.pdf
Since true randomness is not supported by Microsoft, a "change in the approach" could start by supporting this must have requirement for security.