David Lacey's IT Security Blog

Where does one turn to find objective, authoritative advice on security issues?

Certainly not the vendors if the recent reports of a security flaw in Internet Explorer are anything to go. There's a fair bit of spin or FUD in the announcements made in the last few days by Microsoft and its rivals. You have to carefully analyse the weasel words to get at the truth.

Nor can you rely on advice from governments, who seem to have created a hostage to fortune by recommending a temporary switch to other browsers. What does that mean? When will it be safe to go back? Are we talking days, weeks, months or years?

Security advice needs to consider the full range of circumstances. The size of the risk depends on many variables: products, versions, settings, behaviour, business impact, and of course the modus operandi, targets and capabilities of the attackers.

If Government wants citizens to use the Internet, then it needs to develop a more sophisticated approach to responding to vulnerabilities. Products cannot be judged to fine one day, and unsuitable the next. Security flaws in products are inevitable. We need defence in depth and better citizen education, not last minute panic warnings.

Security of the supply chain will be a dominant theme of this year. It's not been addressed sufficiently well in the past, but compliance demands are beginning to twist people's arms. In fact there are several different security problems associated with the supply chain. Firstly, our current policies and standards don't suit smaller contractors. Secondly our software development methodologies don't include enough security measures. And thirdly our sources of technology products are vulnerable to back doors and Trojans.

My New Year's resolution is to contribute to emerging solutions in these areas. This quarter I'll be focusing on the small company problem. I find it staggering that we haven't made much progress in this area. Twenty years ago when I was in Shell, developing the basis for BS7799, we recognised that a much smaller, concise standard would be more appropriate for small Shell companies. Yet today, it's hard to find much published security guidance that's suitable for small or medium sized companies. I believe that we need to go back to the drawing board and develop something new. It's not that difficult.

While I'm researching this area, I'd be interested to hear views on what approach, standards, advice and priorities might be most appropriate for implementing security in small companies. If we haven't cracked this problem by the middle of this year I'll be highly disappointed.

At the close of the first decade of the 21st Century I find myself writing my 500th blog posting for Computer Weekly. It's an appropriate occasion to look back at the last ten years and look ahead to what might unfold over the next decade. Here's my take.

The early years of the century saw events and changes that transformed the face of security. The dot-com boom encouraged security vendors to promise more than they could deliver, before they disappeared as quickly as they emerged. Enron propelled regulatory compliance to the top of the board agenda. 9/11 created a new management appreciation of business continuity. Basel II created an unprecedented appetite for risk management. These developments shaped the nature of corporate security for the first half of the decade, encouraging the growth of established processes and controls, rather than smart use of new technologies. The end result was a steady growth in security spending, but a lack of real innovation.

The second half of the decade has been dominated by high-profile data breaches, coinciding with the progressive criminalisation of cyber threats, and the unexpected shock of a credit crunch. These trends put confidentiality firmly on the map, but placed economic constraints on security solutions. In the government field the emergence of cyber warfare threats highlighted the need to safeguard critical national infrastructure, resulting in a longer term interest to develop a common solution space to safeguard national and industry interests. The result has been an unprecedented political interest in security, with an appetite for short term fixes, coupled with an increase in government funding for longer term research initiatives.

The next ten years will present a range of even more challenging problems, different from anything we've previously encountered. We face the threat of sophisticated threats from criminals and hostile intelligence agencies. We need to convince a new generation of socially networked employees to apply badly-crafted corporate policies. We must persuade cloud service providers, who aim to reduce costs, to spend more money on security. We need to build new security skills that incorporate sophisticated techniques from psychology and marketing. We also need to secure whole communities of business partners who might operate very different policies and practices. And, at the same time, we have to respond to an unprecedented wave of regulatory compliance that might eventually send our directors to jail for an oversight in personal data protection.

To meet these challenges we need to do two big things: firstly to build for the long term; and secondly to innovate. Yet we appear to have lost out ability to do either, at a time when we badly need it. Security managers have been far too busy paying attention to short-term compliance needs rather than creative solutions. Vendors have been focused for far too long on re-launching old products with new features and fresh marketing. And academia has also been far too preoccupied with developing silos of esoteric interest, where success is measured more by media fashion and attention that business success. At the same time, our professional development schemes have been focused on teaching old techniques rather than new skills. The barriers to entry for fresh ideas have never been greater. And we haven't even solved the problems presented in the last ten years. We need immediate action to redress the balance.

What will 2010 hold for information security professionals? Will it be more of the same? Or will it herald major changes? Personally, I believe it will be a year of change. Amongst other things, I expect to see three major trends.

Rethinking security roles and skills will be a dominant theme, triggered by pressures on in-house security functions to demonstrate business value. The traditional, operational focus of many security managers has been eroded by progressive externalisation of the solution space. Many CISOs operate at a distance from the operational action. Technical skills are less relevant and policies more difficult to enforce. Security managers need to be more than a tick in the compliance box or a convenient whipping boy. At a time when there is political pressure to reduce headcounts, we need to go back to the drawing board and establish new roles, objectives and competences.

Data integrity will be a growing concern, though little will actually be done about it in 2010. The next year will be a year of awakening rather than solutions, an attempt to understand this long neglected, final frontier of information security. Several years ago when I raised this issue, I seemed to be a voice crying in the wilderness. Last year many professionals voiced their support. More recently, it's showed signs of becoming a hot topic. Give it a few years before we see any real action, as it's a long term fix. Start by examining the problem space and be prepared to be shocked by what you uncover.  

Supply chains will dominate the problem space. Whether it's the fear of technology suppliers planting back doors and Trojan horses in our information systems, or it's the threat of sub-contractors creating breaches or holding us to ransom, it's clear that we don't do enough to address the security of the supply chain. 2010 will be the year when we will be forced to get to grips with a problem space that's difficult, uncomfortable and expensive to address. Contractors are the soft underbelly of our information systems. And regulators are sharpening their knives.

As we near the end of 2009 it's interesting to look back and see how accurate my January forecasts were. I predicted that: fraud would hit the roof; information warfare would get real; human factors would top the agenda; security would get outsourced; and brand management would embrace security.

These forecasts were surprisingly accurate, perhaps suggesting that this field is becoming more predictable. Certainly we've already experienced several major paradigm shifts in this decade, such as the adoption of cyber attacks by the criminal and military communities, the shock of a major data breach, the growth in regulatory compliance, and the emergence of cloud-based security services. So are there any more surprises in store, or will the future be essentially more of the same?

The answer is that 2009 was largely a period of consolidation for information security, but 2010 will be quite different, with some important, new shifts in both perception and practice. I shall cover these in my next posting.