Recently in Future Trends Category

It's been a few weeks since my last blog posting. That's the bad news. The good news is that it's the result of being rushed off my feet with consultancy assignments. Interestingly it's not my usual line of business. I generally set out to try and make a living from research and write white papers.

But I detect that the security consultancy market is going through a much needed change at the moment, with many clients getting fed up with buying the usual, off-the-shelf, template products offered by Big 4 and other large outfits. They are looking for more practical help from experts who are prepared to listen to their concerns and develop a tailored solution.

I'm particularly finding this in the Middle East where many of my customers started by buying identical paper bricks from big consultancies. These tomes now sit unread on the shelf gathering dust. Implementing them is the problem. Paperwork is useless unless everyone understands it. It might get you part of the way towards a certificate, or help to impress an inexperienced auditor. But it's near impossible to put a hundred page manual into action if no one has read it.   

This issue is largely inevitable. Consultants tend to measure their worth by the amount of paper they generate. Twenty years ago that might have been a challenge, but with the today's instant availability of thousands of policies, standards and control methodologies on the Internet, now anybody and everybody can be a security consultant. You just need to be able to cut and paste text and questionnaires.

I prefer to take a different approach. Rather than copying a business continuity manual from a previous client, I prefer to start with a two page plan and then show the client how to progressively build it into a more comprehensive working document. My clients from last year now have plans of around 50 pages. The difference is that they developed it all themselves. Now that's real security. Once upon a time I thought that was becoming an impossible dream. Perhaps there's hope for us all yet. So let's celebrate the fact that boutique consultancies are coming back into fashion. 

My crystal ball tells me that 2012 is a relatively predictable one. That's largely because we've experienced significant changes in the political, business and security landscapes, ones that are sufficient to inspire some form of predictable short term action. Amongst other things it means some interesting action items will percolate up the management agenda. Here's my top six predictions for 2012.

Space weather creates concern

Even if you're cynical about the forecasts of widespread electrical disruption, it's certainly worth dusting down the contingency plans and filling up the generators. At the very least, increased solar activity will probably cause a few minor annoyances to GPS users. The larger concern, however, is that it might take out mobile communications, power supplies or perhaps anything with a GPS chip. Not quite Y2K in impact, but longer, less predictable and much less researched and publicised.

Social networks get secure

Why have we been waiting so long to deploy a solution to insecure social networks when it's not that difficult to achieve? The answer is our lack of imagination. This will change in 2012 as easy-to-use products emerge to secure Facebook and Twitter communications, just in time for a Springtime wave of citizen uprisings. I'm already playing with an alpha version.  

Big data is the new black

Yes, we've all known about the information explosion for decades, arguably for centuries. The problem is that no one has done much about it. But big data is now becoming interesting, both as a challenge to existing security processes and an opportunity for data mining and fusion opportunities. It's a timely catalyst for change as the real future of security lies more with smart information exploitation rather than industrial-age quality management systems. I detect an increasing number of security vendors exploring this area. That's good news for a security community that's lacking in imaginative ideas.

The electronic Pearl Harbour strikes home

I've been forecasting the electronic Pearl Harbour for more than a decade. In 1999 I predicted it would not happen until at least 2006. That analysis was based on technology road mapping exercises.  Last year I forecast it would finally hit home. It didn't, but the integrity of many of our critical services continues to survive on borrowed time. Expect a big catastrophe this year. It's long overdue, and much needed to shake up the current lacklustre order of battle in the cyber security space.

Public clouds fail to hit the spot

Why are public cloud services so reluctant to give security assurances? Now that's the bit I don't get. You can't make money without talking up your products. There are plenty of liability considerations of course. But that's precisely why big customers are holding back. If vendors can't deliver cast iron guarantees then big companies will not buy the services. If any cloud services catch on they are likely to be private or hybrid implementations. Public clouds might seem like a good idea in theory but they have a long way to go in practice.  

The new global game

For decades we lived in the shadow of a largely invisible cold war dominated by pervasive espionage aimed primarily at military or diplomatic targets. It had little, if any, apparent impact on everyday citizen and business interests. Few of us noticed, or cared what was going on. Today it's different. The new battleground is our global business infrastructure, and the targets our trade secrets. It's no longer realistic for governments to turn a blind eye to hostile attacks, or even attempt to keep the new game under wraps. As exploitation of stolen secrets becomes increasingly visible, then we should expect an overt response to any covert attacks. It's time for soft targets to strike back. 

As we near the close of 2011, I find it instructive to look back and see just how accurate my forecasts proved to be. At the start of the year I forecast three major shifts in thinking during 2011.

Firstly, I expected that we would experience a major security incident involving the integrity of critical national infrastructure - perhaps an easy forecast, given the discovery of Stuxnet in 2010. Yet surprisingly it didn't happen. 2011 was perhaps a lucky year for CNI managers, but many insecure legacy systems continue to survive on borrowed time. 

Secondly, I forecast that emerging security technologies, based on virtualisation and trusted computing, would encourage user organisations to develop non-traditional approaches to securing enterprise infrastructure. Unfortunately, as Bill Gates pointed out, we have a tendency to overestimate what happens in the short term and underestimate what comes to pass in the longer term. Many existing solutions were found wanting in 2011, but innovative alternatives have yet to be adopted. 

Thirdly, I predicted that we would finally see some action in response to the growing need to encourage small and medium enterprises to implement security. I'm pleased to say that this forecast was nearer the mark, with the launch of the ISSA-UK 5173 standard, the US Government "Small Biz Cyber Planner" and a host of vendor solutions from the likes of Qualys, Sourcefire and Dell.

I also suggested that 2011 could see the start of a revolution in security thinking, which would last for most of the next decade, a period that might prove to be a new age of enlightenment for information security. On this one I probably jumped the gun. I still believe this will likely happen, but not until next year, judging by the reaction I get from my lectures to universities and conferences. 

Last week I was fortunate to be speaking at Cyprus Infosec 2011. It was a first class event with intelligent speakers, great debates and a smart audience. But yet again I seem to be the only speaker calling for a forward looking approach to security.

Too many of our thought leaders are locked in the past, preaching outdated standards and old-fashioned management systems. These tools might be necessary for compliance but they will not meet emerging security challenges.

The business landscape is changing from one that is relatively static, standardised and synchronised to one that is dynamic, devolved and diversified. Fast-changing threats can't be countered by static policies and paperwork. Internal governance systems can't control external supply chains.

The future demands new approaches to responding to external events. And this in turn requires new skills, better intelligence, and smarter technology. Security managers should leave the paperwork on the shelf for the auditors and start implementing countermeasures that are capable of preventing advanced persistent threats.

We closed the conference with a futurist who pleaded for simplicity and regarded users as stupid. He was wrong on both points. Networks encourage diversity and complexity. We can't and shouldn't hold them back. The answer is to increase the intelligence in our security controls. Stafford Beer pointed this out more than 40 years ago. And it's not users that are stupid but the people who design their systems. Safety experts learned that many decades ago. 

Every single day we hear new reports about large organizations being thoroughly penetrated by sophisticated attacks. Just when we thought it could not get any worse, it does. This is not just bad luck, and these attacks are not simply isolated incidents. It is, in fact, a phenomenon to be expected; the result of years of neglect in addressing the root causes of security breaches.

Put bluntly, our current approach to information security is not fit for purpose. It hasn't been for years, though we continue to congratulate our efforts with bullish presentations and glittering award ceremonies. But the fact is that a growing wave of regularly compliance has well and truly drowned what little inspiration might have existed to create new solutions. The result is that organized crime and intelligence agencies are free to steal whatever they want from our databases.  

Let's face it our so-called best practices are no more than bureaucratic collections of ancient (often flawed) rituals. They might satisfy our auditors and regulators, but they don't address the growing gaps in our defences. This is to be expected to some extent, as standards and compliance processes are intrinsically backward-looking. It takes many years to identify, document, agree, implement and certify a set of controls.

Security today demands forward-looking horizon scanning and real-time assurance mechanisms. And it needs to be executed across an increasingly externalised infrastructure. The users have left the building, the apps are following. Securing the in-house LANs and servers is not the answer. And we are a long way from agreeing the new problem space.

Designing strategies, writing policies and conducting audits will not fix these problems. We have to break free from the treacle of compliance and build brand new solutions. The key question is who will lead this revolution? So far no one appears to have come forward. Not industry, not the governments, not the institutes and not the universities. Even the vendors are short on solutions. (Many have only just discovered ISO 27001.)

The security community has a long journey ahead. It would be useful to have a direction, a leader and a budget to solve it.     

Last year we saw the beginning of a change in attitude to information security, with a growing realisation that highly sophisticated attacks (such as Stuxnet) can and do happen. The threat is now taken much more seriously and new actions are being taken, at least by government. That's a useful step forward. But neither government nor industry appears to have grasped the broader implications of the changes introduced by the information age, of which threats are just one component.

More significantly for security is the inevitable shift in behaviour towards information management. We are entering an age when the value of intellectual assets resides much more in exploitation than possession. Or, as Alvin Toffler put it several decades ago, it's the information flows - not stocks - that really count. This trend is regularly accelerated by step changes in the ease of information sharing.       

That's why attempts to stamp out leaks are mostly doomed to failure, as illustrated by the recent leak of a US government strategy to prevent leaks. The proposed solution is far too weak to tackle the growing problem space. Instead, we need to rethink our philosophy towards information management.  The key to the future is openness and trust, not secrecy and caution. 

What will 2011 hold for information security professionals? Last year I predicted a year of change. It did not happen. But we are incubating a major crisis: legacy systems are vulnerable; existing security technologies are breaking down; a dangerous monoculture is building; and an information tsunami is heading our way.

Today's security solutions will not meet tomorrow's demands. The longer we put off change, the greater the potential damage from a major incident. The security community is slow to react to a changing problem space, however, preferring gradual evolution to radical revolution. So don't hold your breath. Nevertheless, I expect to see three major shifts in thinking during 2011.

The first is that we are likely to experience a major security incident involving the integrity of our critical national infrastructure. Not quite Die Hard 4 perhaps, but sufficient to incentivise utility companies to tackle their long-standing security vulnerabilities. Building security into the systems development cycle will need to be taken out of the "too difficult" box. The long haul towards building acceptably secure information systems will begin.    

The second is that emerging new security technologies, based on virtualisation and trusted computing, will encourage user organisations to develop non-traditional approaches to securing enterprise infrastructure. Cloud computing technology will provide an opportunity to escape from the treadmill of patching physical platforms. Security will also migrate to the cloud, and previously-ignored controls, such as device authentication, will become fashionable. 

The third is that the growing need to encourage small and medium enterprises to implement security will finally be tackled. ISSA-UK is leading the way with new standards and guidance. Their initiative is likely to set a much bigger ball rolling across the globe, as SMEs dominate supply chains across key supplier regions such as the Far East.     

Many other things should - but will not - happen. The supply chain is likely to remain 'the elephant in the room'. Data integrity will be a greater concern, but little will be done. The need for new skills, ranging from psychology to reverse engineering, will be debated but not addressed. The importance of the human factor will be recognised, but awareness budgets will remain low.

But 2011 will see the start of a revolution in security thinking, which will last for most of the next decade, a period that might prove to be a new age of enlightenment for information security.   

As we near the end of 2010 it's interesting to look back and see how accurate my forecasts for the year proved to be. A year ago, I predicted that 2010 would be a year of change, and I expected to see three major trends: 

• Rethinking security roles and skills: going back to the drawing board and establishing new roles, objectives and competences.
• Data integrity becoming a growing concern, though little would be done about it.
• Supply chains dominating the problem space.

Clearly, I overestimated the propensity for change in the security community. Each of these issues has been highlighted, but the community preferred to sail on in the same direction, not even attempting to re-arrange a deck chair or two.

None of these issues has gone away. Regardless of difficulty, they must be tackled. Unfortunately, a herd mentality has set in at a time when revolution should be in the air. Nothing will change until there is a major shift in the perception and attitudes of institutes and industry associations. Achieving that would be a fine New Year's revolution. 

Back in October, the ISSA-UK Advisory Board, together with some of the UK's top information security thought leaders, met to discuss the challenges of the next decade of information security. The meeting, held at the House of Commons and chaired by the Rt. Hon. David Blunkett MP, resulted in a fascinating and engaging exchange of views. Last week I presented the results to an ISSA-UK chapter meeting. My report of the findings, with a preface by David Blunkett, has just been published on the ISSA-UK web site.

You can't of course expect a perfect or complete analysis from a single event, no matter how knowledgeable the contributors. But this one is quite good and compares favourably with existing forecasts from analysts. More importantly, I hope that we can build on this basis over the next year, to produce a more sophisticated road map for the next ten years.

The next decade will be highly significant, as we've clearly reached an inflection point in information security, a time beyond which existing practices will progressively fail. Over the next few years we need to encourage the development of new approaches, skills and solutions. And do not accept, as many claim, that we already have enough science, technology and methods. We don't.

Let's face it, we haven't even solved long standing solutions such as how to design secure systems, influence user behaviour, tackle insider threats and secure external supply chains. In the future these challenges will be greatly amplified by step changes in threats, information volumes and in the use of external services.

To respond to these challenges, we have to stop behaving as a herd, and encourage greater innovation. More of the same won't do. That means governments should sponsor more competitions, institutes should stop stamping out alternative approaches, and security managers should stop complaining about the proliferation of new security products. So let's stop promoting best practices and start saluting new ideas.