The security landscape is changing and the security industry must adapt to stay relevant. The economic and scale benefits of the cloud are causing organizations to move sensitive business processes and data outside of the safety of the corporate environment. New business models and other opportunities to create value through innovation are moving sensitive data and code onto untrusted mobile devices. Organizations are going to adopt these new cloud and mobile technologies and information security practitioners will be forced to evolve current models for risk management and mitigation. This presentation discusses the need for open software security standards to support this evolution. Being required to trust cloud service providers leads to a need for increased visibility into the software security practices of those providers. In addition, reliance on these providers’ software as well as the requirement to place software in untrusted environments such as mobile devices creates a demand for better standards for evaluating the security state of complicated systems. Many previous efforts have been focused on proprietary models that failed to provide sufficient insight or on models that lacked a level of technical rigor required to provide assurance. The solutions to these issues are open standards that are based on the real risks organizations encounter when adopting cloud and mobile technologies and the presentation outlines potential paths forward that can provide risk managers with the assurances they need while also freeing up businesses to intelligently consume emerging technologies.