I expect we’ll all remember 2008 for the credit crunch. Not many saw it coming, and those that did could not have foreseen the depth of the financial meltdown. It was a classic case of a “black swan”, a large, unexpected, disruptive event. The truth is that there might be many “givens” when forecasting the future, such as the strong likelihood that, in the long term, most of us will be healthier, richer and live longer. But there are also many nasty surprises along the way.
What about my own forecast for information security in 2008? Did I get it right? Or did I fail to see the important developments?
Back in January, amongst other things, I suggested that media coverage of data breaches would intensify, and that social networking will become a major target. That was an easy one. Journalists are always attracted to human interest failures, and social networking is at the heart of human interest, arguably the top of the hack’s agenda.
I also suggested that confidentiality would be the new focus, and later in the year I added the prospect of threats on data integrity, which can be even scarier. In fact confidentiality has been a major concern of most big organisations that process sensitive information or valuable intellectual property. But this paranoia has yet to cascade down to many smaller organisations. And integrity remains a ticking bomb that’s waiting to demolish many corporate reputations.
I was also expecting a very large global incident, perhaps a wake-up call to the growing sophistication of network worms and Trojans. That’s still waiting to happen. The vulnerability is still there. But the motive and capability have yet to combine. Once they do, the risk landscape will be transformed forever.
I also suggested that most executive boards would back security but set ambitious targets and bring in external expertise. I’ve seen that happened in many large companies. Several CISO jobs have been upgraded and Big 4 auditors have had a nice line of business in interim management. I also predicted that security budgets will survive the purge, and that many functions would be restructured. And that’s certainly been the case in many organisations.
My biggest disappointment was that greater attention has not been paid to the human side of security. There’s been plenty of talk about the need to transform security culture, but very little real action. That will have to change in order to stem the tide of damaging incidents. The same holds for ISO certification. It’s the most effective process for ensuring that things get done, but not enough organisations go to the trouble of “closing the loop” on their policies and standards.
Finally, I suggested that there would be an increase in security investigations and computer forensic services. That’s certainly been a growth area. We are on the verge of an explosion in forensic services. Unfortunately, there is a severe shortage of skills and training. We need to raise our game substantially if we are to maintain standards in this important area.