Security Forecasts for 2008

In keeping with tradition, it’s time to dust off the crystal ball and look ahead to the key trends we can expect to encounter during the next year. Here are my Top 10 predictions for 2008.

Media coverage of data breaches continues. Forget virus and worm outbreaks. It’s much easier to write sensational stories about data breaches. Many more will be reported during 2008 with increasing intensity.

Social networking will be a major target. Business and citizens will wake up to the fact that social networking sites present an excellent target for information to support identity theft and social engineering attacks. Reponses will range from paranoia to “I ain’t bovvered”.

Confidentiality will be the new focus. Organisations will finally grasp the seriousness of the threats from organised crime and foreign intelligence services, and begin to take more effective action to prevent deliberate or accidental loss of confidential data.

Something wicked will come this way. Expect to see some scary developments in worms and botnets. Last year’s Storm worm showed a glimpse of the future of malware: sophisticated, agile and virtually impossible to defend against using traditional controls.

Board expectations will be high. Executive boards will back security but will set ambitious targets and take a close interest in progress. Many will bring in external expertise to provide direction or an independent opinion that governance processes are fit for purpose.

Security budgets will survive the purge. Gloomy economic prospects signal a round of cutbacks. IT budgets will take a major hit but security should survive and might even attract increased spending, though it’s likely to be quickly blown on external consultants and security investigations.

Restructuring is on the cards. With many directors keen to extend their oversight of security yet reduce their direct reports, mergers and takeover bids can be expected from related functions such as physical security, compliance and risk management. Meanwhile, more security activities will be embedded in IT service functions, further reducing the headcount in central security functions.

Greater attention to human factors. Vendors and their customers will wake up to the fact that spending on human factors is a fraction of what it should be. I’ve long been recommending that at least 10% of security budgets should be earmarked for people-oriented initiatives.

ISO Certification will take off. Incidents in 2007 demonstrated the consequences of failing to close the loop. You can’t expect policies and standards to get implemented without regular audits across business processes and supply chains. Accredited certification is the most effective tool to achieve this.

Expect an increase in security investigations. With greater management concern about data theft, insider threats and incident reports, one area certain to attract further spending is security investigations. Data mining and computer forensic services should be profitable lines of business for vendors.