Security Forecasts for 2010

What will 2010 hold for information security professionals? Will it be more of the same? Or will it herald major changes? Personally, I believe it will be a year of change. Amongst other things, I expect to see three major trends.

Rethinking security roles and skills will be a dominant theme, triggered by pressures on in-house security functions to demonstrate business value. The traditional, operational focus of many security managers has been eroded by progressive externalisation of the solution space. Many CISOs operate at a distance from the operational action. Technical skills are less relevant and policies more difficult to enforce. Security managers need to be more than a tick in the compliance box or a convenient whipping boy. At a time when there is political pressure to reduce headcounts, we need to go back to the drawing board and establish new roles, objectives and competences.

Data integrity will be a growing concern, though little will actually be done about it in 2010. The next year will be a year of awakening rather than solutions, an attempt to understand this long neglected, final frontier of information security. Several years ago when I raised this issue, I seemed to be a voice crying in the wilderness. Last year many professionals voiced their support. More recently, it’s showed signs of becoming a hot topic. Give it a few years before we see any real action, as it’s a long term fix. Start by examining the problem space and be prepared to be shocked by what you uncover.  

Supply chains will dominate the problem space. Whether it’s the fear of technology suppliers planting back doors and Trojan horses in our information systems, or it’s the threat of sub-contractors creating breaches or holding us to ransom, it’s clear that we don’t do enough to address the security of the supply chain. 2010 will be the year when we will be forced to get to grips with a problem space that’s difficult, uncomfortable and expensive to address. Contractors are the soft underbelly of our information systems. And regulators are sharpening their knives.