Most credit card safety advice is virtually useless. The truth is very few payment card details are stolen from websites or people's computers. Organised crime targets the databases of payment processors and big merchants, where they steal the details of tens of millions of cardholders at once. You might never have shopped online in your life, and still have your card details stolen, behind your back, at a department store breach.

This is Part 2 of my coverage of the White House #CyberSecuritySummit; see Part 1 here.

 It would be naive to expect such an event to make actual progress. But on the other hand, the root causes of our cybersecurity dilemma have been well known for years, and this esteemed gathering seemed oblivious to them.

Where's the serious talk of preventing cyber security problems? Where is the attention to making e-business platforms and digital economy infostructure more robust?

This is an updated version of arguments made in Lockstep's submission to the 2009 Cyber Crime Inquiry by the Australian federal government.

In stark contrast to other fields, cyber safety policy is almost exclusively preoccupied with user education. It's really an obsession. Governments and industry groups churn out volumes of well-meaning and technically reasonable security advice, but for the average user, this material is overwhelming. There is a subtle implication that security is for experts, and that the Internet isn't safe unless you go to extremes. Moreover, even if consumers do their very best online, their personal details can still be taken over in massive criminal raids on databases that hardly anyone even know exist.

Increasingly, commentators are calling into question the state of information security. It's about time. We infosec professionals need to take action before our customers force us to.

Standard security is just not intellectually secure. We can't adequately protect credit card numbers, yet we're joy-riding like a 12-year old on a stolen motorcycle into an Internet of Things.

We're going to have to fix complexity and quality before security stands a chance.

In my last blog Improving the Position of the CISO, I introduced the new research I've done on extending the classic "Confidentiality-Integrity-Availability" (C-I-A) frame for security analysis, to cover all the other qualities of enterprise information assets. The idea is to build a comprehensive account of what it is that makes information valuable in the context of the business, leveraging the traditional tools and skills of the CISO. After all, security professionals are particularly good at looking at context. Instead of restricting themselves to defending information assets against harm, CISOs can be helping to enhance those assets by building up their other competitive attributes.

Let's look at some examples of how this would work, in some classic Big Data applications in retail and hospitality.

Ed Snowden was interviewed today as part of the New Yorker festival. This TechCruch report says Snowden "was asked a couple of variants on the question of what we can do to protect our privacy. His first answer called for a reform of government policies." He went on to add some remarks about Google, Facebook and encryption and that's what the report chose to focus on. The headline: "Snowden's Privacy Tips".

Mainstream and even technology media reportage does Snowden a terrible disservice.

I am simply dismayed how Snowden's sophisticated analyses are dumbed down to security tips. He has never been a "cyber Agony Aunt". The proper response to NSA overreach has to be agitation for regime change, not do-it-yourself cryptography. That is Snowden's message.

I spend a lot of my time talking about mobility and enablement. When I’m not doing that the talk usually turns to security. So I had to pause today when someone asked me how do you balance mobility and security. I didn’t really understand the question. Why were people worrying about balancing mobility and security? Then I realized this was one of the basic issues that most companies face. It’s not a new issue either.

I wrote earlier this week about Identity and Access Management (IAM) and how it’s important for Infosec (Information Security) to be involved with projects early. The post generated a few comments and some commentary on twitter, mostly from Infosec folks. Some complained I was too harsh on Infosec (I wasn’t) while others worried that I didn’t go into enough depth (I didn’t). In my mind though, it raised the issue of why there is such friction between Infosec folks and the rest of IT.

So, the downloading and use of a Facebook App could create security threats? Who'd have thunk it? Oh, wait...I could, and did right here on Huffington Post.

I spend a lot of time talking about organizations enabling their employees through the use of mobile. It’s truly the only way to ‘win’ at this game. When you enable your users to be more flexible and agile they become more efficient and productive. What more could you ask for? The question always turns to how do you actually enable your people. You start with the FUN principle (Focus on the Users’ Needs) and you build apps that enable them to do what they need to do, when and where they need it. There are many issues with building apps and if you focus on their needs you get most of the way there. Yet, there is still the fundamental issue when building an app that someone can use it anywhere and at anytime. How do you know who that somebody is?

Pages