We are in the middle of a huge change in how security is done.

Ten years ago, the security manager of a large company was usually a retired soldier or policemen, for whom 'computer security' was an unimportant speciality he left to the computer department, with occasional help from outside specialists. In ten years' time, his job will be occupied by a systems person; she will consider locks and guards to be a relatively unimportant speciality that she'll farm out to a facilities management company, with an occasional review by outside specialists.

Ten years ago, security technology was an archipelago of mutually suspicious islands — the cryptologists, the operating system protection people, the burglar alarm industry, right through to the chemists who did funny banknote inks. We all thought the world ended at our shore. Security engineering is now on the way to becoming an established discipline; the islands are already being joined up by bridges, and practitioners now realise they have to be familiar with all of them. The banknote ink man who doesn't understand digital watermarks, and the cryptologist who's only interested in communications confidentiality mechanisms, are poor value as employees. In ten years' time, everyone will need to have a systems perspective and design components that can be integrated into a larger whole.

Ten years ago, information security was said to be about 'confidentiality, integrity and availability'. These priorities are already ...