We celebrated NetSPI’s 10 year anniversary last month. It’s amazing that it has been that long.  The anniversary has led me to reflect on NetSPI’s history and on the security industry’s history (at least since I’ve been involved – so, from around 1995). Being on the forensics team at Ontrack in the mid 1990’s, we saw a significant number of criminal and security related incidents. It truly was the Wild West, with companies moving to Windows 95/NT3.51 before they had a clue about stabilizing them, let alone securing them.  Many people didn’t understand that email lived beyond what you saw on your screen (let alone that files lived on forever on various hard drives). At that time, very few people in corporate America (including those in IT) had any idea about what was going on within their IT environments. In many organizations, the CFO ran IT and no one else at the C-level wanted anything to do with it.  Security wasn’t even a joke for most companies – it was a non-issue, and at Ontrack we got to see that first hand. That NetSPI started around 9/11 is an unfortunate but good reference point. It was ironic that an event that should’ve heightened corporate America’s focus actually led to decreased attention and reduced budgets for information security. In 2001 almost everyone that I met discussed what a great industry information security must be due to the focus created by 9/11. Nothing could have been further from the truth. Companies were cutting spending dramatically. This wasn’t necessarily the case in the Northeast (because of the proximity of 9/11), but it was around the rest of the country.  IT security was an abstraction unrelated to corporate operations. From 2001 through 2005 or so, there was lots of commiseration surrounding the lack of traction that information security was attaining.  The “I’m beating my head against a wall” feeling was pretty strong for those in IT security, at least everywhere but in very large financial institutions.  There was always hope that one day people would start to care. In fact, in many conversations there was an underlying sentiment that “the C-level isn’t giving me what I need and some day they’ll pay.” It felt like that someday was probably decades away, but everyone hoped that non-IT and executive management would start to get it. It’s hard to believe, but I think that day – the upper management getting it day – has come.  Just look at Sony. Because they’re a Japanese company there are some cultural issues that have played into holding the person at the top accountable. It is amazing that there has been discussion about his accountability and the future of his job. It didn’t start entirely with Sony, things have been changing for a while. Events like the RSA breach were a wake-up call and because Art Coviello, RSA’s President, responded, I think we’re seeing a sea change in attitudes and accountability with regards to information security. While the responses and/or the programs are not entirely what many in our industry would consider adequate, we’re seeing C-level responses and there appears to be action behind their words. At least let’s hope.