Looking back over 2006 I have to say that although it’s been largely more-of-the-same for many IT Security practitioners, there’s undoubtedly been a significant shift in the perception of other stakeholders, whether business, IT or citizens. Partly it’s been due to increased compliance demands forcing many organisations to manage their operational risks. But largely it’s down to the increasing experience by everyday people of the importance of vulnerability management and the hazards of the Internet.
From my own perspective, with around two and a half decades of professional experience, I’m impressed with the degree of knowledge and professionalism that you can find in large organisations today, as well as the size of their budgets and headcounts. Back in the 80s there were only a handful of full-time practitioners, and no established body of knowledge on the subject. Practitioners were self-taught and operated independently. Throughout the 90s we saw increased networking and knowledge sharing, and the emergence of early security technologies. But few organisations had effective enterprise management systems. And many had yet to establish a professional function. The dotcom boom made some aspects of IT Security fashionable, and we briefly saw some rather ordinary security companies achieve staggering, though temporary, growth in market capitalisation. But this market was driven by investors’ greed, not real customer demand, so the boom was short-lived.
For me 2006 has been a watershed year for security process maturity, professionalism and technology. We’ve seen the birth of a new Institute – The IISP – though it has an awful long way to go to prove it can deliver anything useful. And for the first time, it seems that the majority of large organisations actually have a functioning management system, and a good professional relationship with other corporate functions. I’ve also seen an impressive range of specialised technologies emerge from start-up companies. These technologies will take a few years to be absorbed into the corporate tool box, but when they do they will provide unprecedented visibility and control of security across the enterprise.
So 2006 has been a good year for IT Security. The only thing we missed was the Electronic Pearl Harbour incident to wake us all up. Back in 1999 I forecast this was unlikely to strike until 2006. It didn’t happen. But it might well be on the Horizon as we enter the New Year.