Security Forecasts for 2007

It’s getting to that time of the Season when many of us look ahead to a New Year with mixed emotions of hope, fear, uncertainty or just plain boredom. What will 2007 bring? Will it be more of same? Will it herald a new age of prosperity or danger? Here’s my Top 10 Security Trends of the coming Year.

Security Threats Get Nastier. No surprises here, except for those organizations that get hit. The existing trend of continuing exploitation of hacking and malware by criminals and intelligence agencies will continue, with stealthier, personalised attacks, generating a much-needed paranoia to compel more organizations to raise their game in protection, detection and incident response.

Databases Are The New Target. Identity theft is a growth industry but not enough organizations are properly equipped to safeguard their personal data against determined, sophisticated attack. There will be many incidents reported, thanks in part to legislation such as Californian Law SB 1386 which requires companies to notify them of incidents affecting their citizens.

Compliance Gets Tougher – The Backlash Begins. There’s no end in sight to the current run of regularly compliance demands. Organisations will continue to grapple with tougher demands for electronic archiving and more effective safeguards for personal data. At the same we will see the beginning of the backlash, starting with a mass Exodus of USA’s finest start-up technology companies seeking a Stock Market listing in London.

True De-perimeterisation Remains Beyond Reach. Our corporate networks have already been de-perimeterised, but unfortunately the new De-P solutions on the drawing board have yet to be developed into everyday countermeasures. So sticking plasters will continue to be applied to shore up our perimeter defences and safeguard our most valuable applications. Like all short-term fixes they’ll eventually become unstuck.

Social Computing Makes An Impact On Everyday Business. Forrester have been telling us for the past year that Social Computing is the next big thing. And they should know, because their business is in the firing line. Few organizations have woken up to the business implications of the P2P revolution. They will during 2007 when mass exploitation of personal networks begins to erode many traditional business services, and Ivory-Tower Corporate Centre functions get sidelined by networked company staff. Power to the people!

Professionalism Makes Slow Progress. We now have a new Institute but don’t hold your breath just yet. Levels of professional training are still tremendously low. Expect little change during 2007 and Industry and Government slowly put the foundations in place for the much-needed step change in professional development to meet a large-scale, growing skill shortage. The problem may well be exacerbated by continuing mergers of IT Security functions with Risk, Security or other related functions that have absolutely no background in what is becoming an increasingly complex and demanding subject area.

No More Mr Nice Guy – CISOs Get Tough. Zero-day exploits are real but few organizations are able to apply patches across their estate in less than a week. Alternative solutions will need to be found, such as tightening firewall policies, closing down third-party connections and blocking access from unpatched clients. Expect CISOs to become even more unpopular than they already are.

Technology Takes Center Stage. 2007 will see the emergence of an unprecedented variety of new, imaginative security technologies enabling entirely new capabilities at prices that are expensive but compelling. Business cases will rule, as organizations realise that they can no longer carry on cobbling together out-dated solutions from ineffective physical and manual countermeasures. In the new world of hand-crafted, zero-day, criminal attacks, 80% solutions simply won’t cut it.

Security Vendors Unite. I’ve always believed that point-solution security vendors would be better if they cooperated more. Expect this to happen with customers demanding more integrated solutions, yet recognizing that point solutions deliver superior performance. As my good friend Andrew Yeomans puts it: “Does ‘best of breed’ translate as ‘much more expensive than you require’ and ‘point solution’ mean ‘doesn’t solve the real issue’?” Yes of course but we couldn’t live without them.

And The Electronic Pearl Harbour? Back in 1999 I forecast that this would not strike until around 2006. I have to stand by this. We are approaching a peak in risk profiles, with widespread vulnerabilities, loss of perimeter security, criminalization of hacking and the advent of cyber-terrorism. We could certainly do with a not-too-damaging wake-up call.