The last two years have been an eye-opener for business, governments and citizens. They should now be aware of the vulnerability of information systems to penetration by spies, hackers and criminals. But do they care? Not that much it seems, as they clearly continue to trust service providers with their data.
Perhaps we might experience one or two wake-up calls this year. Certainly we can expect that everything to do with intellectual assets and cyber security will be bigger, faster and more volatile, as that is the underlying nature the Information Age. At the same time we can expect that little or nothing will get fixed or be any more secure, as that costs money and reduces business opportunity.
So what in particular will be waiting in the wings for cyber security professionals in 2015? Here are my personal forecasts.
The Internet of Things will be primary focus of this year's research, investment and hype. But there will be no killer applications or compelling business cases. It will remain largely a solution looking for a problem, held back by a lack of imagination, standards and security. The idea of publishing sensor data to citizens is a daft aspiration from a security point of view. But researchers and product developers do not listen to security experts.
There will be no escape for security managers from the growing treacle of regulatory compliance. Amazingly, implementing an information security management system to ISO standards requires as many as fifty individual pieces of documentation. But the paper overhead will continue to increase with more competing standards and questionnaires surfacing each year. (I've had to develop a sophisticated 4D relational database to keep up.) Technology can help but current GRC solutions are immature, and some add to the swamp of data to be processed. This will be the year for CISOs to invest in more efficient enterprise solutions.
Prediction is the new, 4th dimension for security. The theme of this year's Infosecurity Europe is "Smart data to detect, contain and respond". But the theme is outdated: smart vendors such as Qualys have already added "predict" to the thirty-year old "prevent, detect, respond" paradigm. A decade of regulatory compliance treacle has relegated prediction to the back burner. It need to bounce back. Let's all aim to reverse this trend by pushing the focus firmly towards the future. It could be the single most important paradigm shift of the year 2015.
Small data is the answer. We've seen increasing hype and emphasis about "big data" over the last few years. The hype is slightly misplaced. The data does not have to be big, but it needs to be intelligently selected and creatively combined. As Deming correctly pointed out (though he is a bad poster boy for the Information Age), running a business on visible figures alone is one of the seven deadly diseases of management. Today we have numerous sources of data, within and without the enterprise. Fusing this data will help shed visibility of risks and incidents. The data does not have to be big. Searching out, capturing and combining small data is the real key to predictive analytics.
The commoditisation of cyber security. It's sad to say but many companies have been foolishly paying outrageously high fees for security experts that are little more than standards readers or script-kiddies armed with open-source software tools. There is a place for the expert, but there is also a place for the army of trainees. Smart companies will outsource the latter to low cost off-shore service providers.