As we approach the end of 2007, lots of folks and entities are putting out security reports. I'd like to add one that I think should go on the top of your list. Cisco has just issued its first of what will be an Annual Security Report, and even though I'm at Cisco-and because of that you might discount the source-I still commend it to you.The report takes a broad view of the issues, and addresses seven categories (vulnerability, physical, legal, trust, identity, human and geopolitical), and has some practical, actionable and useful recommendations to improve security. It also focuses on the growing role that coordination and collaboration among interested parties has to play- parties that have not always traditionally worked together as closely as they need to, such as IT security teams, businesses, governments, law enforcement, and consumers. And it emphasizes the need for this to happen globally. (In fact, for more insight on the value of public-private partnerships in protecting public sector infrastructure, check out John Stewart's short video on Cisco's security center.) Some of the recommendations include: conducting regular audits within organizations of any attractive targets and evaluate the real threats and defenses; understanding the notion that threats follow usage patterns; changing the mindset of employees, consumers and citizens who consider themselves innocent bystanders and empower them to become active influencers with shared ownership over security responsibilities; making security education a priority and investing in security education and awareness-building; institutionalizing IT security education by incorporating it into school curricula; considering more than just performance when building a secure network, focus on the network's ability to collaborate, inspect, adapt and resolve security issues; and that security vendors need to provide comprehensive security solutions that extend throughout the network infrastructure, application mix and data itself. From a policy perspective, the report recommends what surely is right: that ensuring flexibility is key; that private- and public-sector organizations should recognize that maintaining flexibility and protecting the ability to innovate in security responses is crucial for achieving security; that laws and regulations should not mandate particular security technologies, methodologies, or procedures; and that any static requirement will quickly become obsolete as threats and defenses continue to evolve in the real world-innovation and flexibility are key to security.So, happy holidays, and as you're sifting through your year-end reading give some thought to security issues.