When one of my daughters was about 3 or 4, she asked me if I rode to school on a horse. In her mind, adults grew up in the so-called olden days, in a sepia-tinged time before cars, cell phones or the internet. One day, her daughter might ask her a similar question: What was life like before the metaverse?

In the future, we might barely remember life before the metaverse — just like we sometimes struggle to recall the days before PCs or Wi-Fi. The metaverse may change everything we know about the cyber universe, but the security profession doesn’t quite know what to make of it.

If you’re still unclear on the topic — and many security leaders are — the metaverse is the next, more immersive iteration of the internet. Today’s web is made up of memes, blogs and Zoom. Tomorrow’s version of the web is a combination of virtual reality, augmented reality and 3D computing, where users might inhabit their own avatars and interact in a simulated version of reality. Platforms such as Second Life, Roblox and Minecraft are steps in that direction, but the full-fledged metaverse promises to be much more encompassing.

To many people, it might as well be 1,000 years off into the future, when intergalactic travel is common and aging is a thing of the past. Still, however, it comes as a surprise that when I ask security professionals how the metaverse will transform security and security leadership, many of them frequently return blank stares, uncomfortable chuckles or exaggerated shrugs.

As host of a series of moderated Zoom calls on the topic, security visionary Lee Odess is one of the few protection professionals thinking through the ramifications of the metaverse on security. He includes the metaverse as part of web3, which also encompasses blockchain, cryptocurrency, non fungible tokens (NFTs) and so on.

Security is perilously close to being late to the game, Odess says. “We’re going to be caught flat-footed. Delivery happened to security without us preparing. Mobile happened to us. They were forced upon us, and we didn’t have a point of view,” he says. “We have to start having a conversation about the metaverse before it is foisted on us.”

So what does this mean for security leadership? Odess recently posted a request that flipped the traditional mentor/protégé relationship on its head — he was seeking a mentor younger than himself. Young security professionals understand the web3 mentality, culture and technology better than what Odess calls the “old guard.” He asks: “Could most C-suite [executives] in our industry use a good young professional mentor? I’d say yes.”

He might look no further than Paula Balmori, a security design consultant who is having the very conversations that Odess is talking about.

“From the physical security leadership perspective, the line between virtual and physical is getting closer,” she says. “It’s time to start thinking of the unimaginable… how are we going to anticipate the effects of the virtual world on the physical world, and in what ways are we not prepared?”

She notes that, in an effort to monetize the metaverse, a company might replicate a real-world floor plan in the virtual world, potentially compromising the security of the brick-and-mortar facility. Or adversaries might watch patterns and activities in the virtual world, take that knowledge and then apply it to compromise physical lives.

But Balmori is careful not to suggest locking down the metaverse, lest it stifle innovation. “The people who are creating this world don’t want to be supervised or constrained. Security doesn’t want to make the mistake of being the entity that [destroys] it,” she says. “How can we promote ethical barriers around new things coming our way without killing them?”

Ethical barriers might be the best constraints until laws and regulations catch up to the technology. Thieves in the metaverse are already stealing NFTs, the equivalent of forging art in the real world. And the law is struggling to deal with it.

Both Balmori and Odess say the metaverse will affect the industry whether security leaders like it or not. They urge security professionals to engage now. “We have the opportunity to get ahead of this platform more so than we were able to with other social media,” Balmori says. Whereas society was behind the curve on the mental health effects of social media, security can actually address this concern proactively in the metaverse.

“I don’t expect everyone to get a Coinbase account,” Odess adds. “Just engage in a dialogue and show a higher level of interest and have a point of view. Show intellectual curiosity.”

For my part, I may just seek out my now-21-year-old daughter as a mentor — if her dorm has a hitching post for my horse, that is.