Preparing for the next decade

Last week the ISSA-UK advisory board met at the House of Commons for dinner with a number of invited security luminaries to discuss the prospects for information security over the next decade. The turn of the decade is always a good point to take stock of recent learning points look ahead to future challenges. It’s especially appropriate at this point in time, after the process industry has been shaken by unprecedented attacks on SCADA systems, and government has woken up to the importance of cyber defence and the need to invest in new skills and capabilities.

Of course, even the very best experts cannot be expected to deliver a perfect analysis and articulation of the full range of issues within the constraints of a three course dinner. We have, however, captured many pertinent points, and we will combine these with other contributions from experts who were not present, as well as relevant research reports, such as PWC’s recent Revolution or Evolution: Information Security 2020 report.

The results will be compiled as an ISSA-UK white paper to be published towards the end of the year. In the meantime, I’d encourage any readers with thoughts or ideas on the future to post comments below. I’ll make sure they are incorporated into the report with appropriate attribution.   

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

Hi David. Sounds interesting! FWIW my main concern for the decade ahead is the increasing power and resourcing of the black hat community - not so much the lone home hackers and hacker clubs (who are formidable but rather fragmented and from what I've seen relatively benign, well-meaning even in some cases) but the true criminal community that increasingly uses hacking and social engineering to harvest the real gold out there: the major corporates with lax security, negligible security monitoring and mostly not a clue that they might even be in the gunsights. There's a positive feedback loop at play: as the black hats successfully exploit small targets and get away with it, so they build up their resources (knowledge and cash) to invest in attacking bigger targets with more advanced weaponry. They can afford the R&D. We can't. At the same time, the white hat community has basically stalled. So long as you and others continue to press the line that legal/regulatory compliance is the most effective way to make corporates become more secure, we're on a hiding to nothing as far as I'm concerned. Compliance achieves the least amount required, and that under sufferance. It's hardly destined to show senior management The Light, namely that strong security makes good business sense, enables them to do more stuff safely, protects their most important and valuable corporate assets, and gives them a substantial commercial advantage over their insecure peers who are 'accidents waiting to happen'. Security-for-compliance is just a nasty, inconvenient and distracting annonyance, a cost of doing business. It's a bit like 'tidying the place up because the auditors are coming' as if a tidy office will distract them from seeing the fundamental flaws all around them. The black hats love compliance, so long as that means they can safely assume their targets will have made the least possible effort to meet the bare minimum standards to the letter, while largely ignoring all the supporting things (such as the human factors - security awareness, competence, training, qualifications, procedures and all the other good stuff in your book!) that are actually required to become secure. If those are not mandated, they evidently don't matter so they aren't being done. That's the dark underbelly of compliance. As an ardent fan of ISO27k, I'm dismayed, not to say horrified at the general lack of uptake of the ISMS approach. With just a few thousand organizations certified to ISO/IEC 27001 so far, and a few tens or hundreds of thousands more using the standards without being formally certified, this is barely scratching the surface of the millions of organizations Out There and all those accidents-in-waiting. Most managements will spend as little as they possibly can for PCI-DSS or privacy/data protection compliance, but won't take the next bold step of consolidating all those point solutions into a coherent information security management system, and working to fill the gaps. One of these days, they will run out of fingers to plug the holes in the dam. Oh well, I guess you can lead a horse to water ... Cheers, Gary
Cancel
David, I tried to respond here but the CW site won't accept/publish my response for some reason, so I have published my response on my own blog instead. I'm not trying to hijack this, honest! Keep up the good work. http://blog.noticebored.com/2010/10/decade-ahead.html Regards, Gary
Cancel
Hi David. Sounds interesting! FWIW my main concern for the decade ahead is the increasing power and resourcing of the black hat community - not so much the lone home hackers and hacker clubs (who are formidable but rather fragmented and from what I've seen relatively benign, well-meaning even in some cases) but the true criminal community that increasingly uses hacking and social engineering to harvest the real gold out there: the major corporates with lax security, negligible security monitoring and mostly not a clue that they might even be in the gunsights. There's a positive feedback loop at play: as the black hats successfully exploit small targets and get away with it, so they build up their resources (knowledge and cash) to invest in attacking bigger targets with more advanced weaponry. They can afford the R&D. We can't. At the same time, the white hat community has basically stalled. So long as you and others continue to press the line that legal/regulatory compliance is the most effective way to make corporates become more secure, we're on a hiding to nothing as far as I'm concerned. Compliance achieves the least amount required, and that under sufferance. It's hardly destined to show senior management The Light, namely that strong security makes good business sense, enables them to do more stuff safely, protects their most important and valuable corporate assets, and gives them a substantial commercial advantage over their insecure peers who are 'accidents waiting to happen'. Security-for-compliance is just a nasty, inconvenient and distracting annonyance, a cost of doing business. It's a bit like 'tidying the place up because the auditors are coming' as if a tidy office will distract them from seeing the fundamental flaws all around them. The black hats love compliance, so long as that means they can safely assume their targets will have made the least possible effort to meet the bare minimum standards to the letter, while largely ignoring all the supporting things (such as the human factors - security awareness, competence, training, qualifications, procedures and all the other good stuff in your book!) that are actually required to become secure. If those are not mandated, they evidently don't matter so they aren't being done. That's the dark underbelly of compliance. As an ardent fan of ISO27k, I'm dismayed, not to say horrified at the general lack of uptake of the ISMS approach. With just a few thousand organizations certified to ISO/IEC 27001 so far, and a few tens or hundreds of thousands more using the standards without being formally certified, this is barely scratching the surface of the millions of organizations Out There and all those accidents-in-waiting. Most managements will spend as little as they possibly can for PCI-DSS or privacy/data protection compliance, but won't take the next bold step of consolidating all those point solutions into a coherent information security management system, and working to fill the gaps. One of these days, they will run out of fingers to plug the holes in the dam. Oh well, I guess you can lead a horse to water ... Cheers, Gary
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close