I really enjoyed Anton's post Once More on Failure of Academic Research in Security where he cites Ian Greg's The Failure of the Academic Contribution to Security Science:
[A]cademics have presented stuff that is sometimes interesting but rarely valuable. They've pretty much ignored all the work that was done before hand, and they've consequently missed the big picture.
Why is this? One reason is above: academic work is only serious if it quotes other academic work. The papers above are reputable because they quote, only and fulsomely, other reputable work. And the work is only rewarded to the extent that it is quoted ... again by academic work.
The academics are caught in a trap: work outside academia and be rejected or perhaps worse, ignored. Or, work with academic references, and work with an irrelevant rewarding base. And be ignored, at least by those who are monetarily connected to the field.
By way of thought experiment, consider how many peer-review committees on security conferences include the experts in the field?
This is very interesting, but I'm not sure I agree. I think another reason might be the lack of ex-practitioners (with military and/or commercial hands-on experience) in the teaching ranks. Whatever the case, it should not be restricted to our field. There must be dozens of other professions with disconnects between academia and industry?
Incidentally, I was just invited to be on the peer-review committee for VizSec 2008, in conjunction with RAID 2008, in Boston next September. I am really excited to be attending both conferences. Maybe inviting me to be on the board is an indication of academia reaching out to industry?
A focus on practicality is one of the reasons I am drawn to the University of Cambridge Computer Laboratory, where the focus is on actionable security research, not theory.