Security Forecasts for 2011

What will 2011 hold for information security professionals? Last year I predicted a year of change. It did not happen. But we are incubating a major crisis: legacy systems are vulnerable; existing security technologies are breaking down; a dangerous monoculture is building; and an information tsunami is heading our way.

Today’s security solutions will not meet tomorrow’s demands. The longer we put off change, the greater the potential damage from a major incident. The security community is slow to react to a changing problem space, however, preferring gradual evolution to radical revolution. So don’t hold your breath. Nevertheless, I expect to see three major shifts in thinking during 2011.

The first is that we are likely to experience a major security incident involving the integrity of our critical national infrastructure. Not quite Die Hard 4 perhaps, but sufficient to incentivise utility companies to tackle their long-standing security vulnerabilities. Building security into the systems development cycle will need to be taken out of the “too difficult” box. The long haul towards building acceptably secure information systems will begin.    

The second is that emerging new security technologies, based on virtualisation and trusted computing, will encourage user organisations to develop non-traditional approaches to securing enterprise infrastructure. Cloud computing technology will provide an opportunity to escape from the treadmill of patching physical platforms. Security will also migrate to the cloud, and previously-ignored controls, such as device authentication, will become fashionable. 

The third is that the growing need to encourage small and medium enterprises to implement security will finally be tackled. ISSA-UK is leading the way with new standards and guidance. Their initiative is likely to set a much bigger ball rolling across the globe, as SMEs dominate supply chains across key supplier regions such as the Far East.     

Many other things should – but will not – happen. The supply chain is likely to remain ‘the elephant in the room’. Data integrity will be a greater concern, but little will be done. The need for new skills, ranging from psychology to reverse engineering, will be debated but not addressed. The importance of the human factor will be recognised, but awareness budgets will remain low.

But 2011 will see the start of a revolution in security thinking, which will last for most of the next decade, a period that might prove to be a new age of enlightenment for information security.   

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

David, I work inside Intel's IT organization and we see a tremendous amount of change around the information security landscape. We are executing a major shift in our IT security policies, approach and business requirements. Here is an IT paper that describes what we are seeing and more importantly what we are doing about it. Hope you find it interesting. Chris, Intel IT
I feel the lack of Information Security Training is the main cause for most of the attacks to occur. A well trained security professional will know how to defend the networks, hack the own network ethically and uncover the hidden vulnerabilities. I came across one such training in Ethical Hacking by EC- Council. I came to know about it by seeing the posting of the latest Certified Ethical Hacker (CEH) courseware launch by EC-Council mentioned in CCURE. Read :CEH V7 is coming, move away QEH, CPTS, CREST, and others" Check the posting ( WIN a FREE CEH v7 TRAINING CLASS The latest CEH V7 that is due for commercial release is creating lot of buzz in the information security community. With the new release of CEH, EC-Council is planning to offer limited number of training seats (125) across 25 loacations around the globe for FREE OF COST. The news was revealed by at CCCURE's website. For more information read CEH V7 is coming, move away QEH, CPTS, CREST, and others on its homepage. Another well known Information Security forum; The Ethical Hacker Network is also buzz with the latest release of CEH version 7.EC-Council is yet to release an official statement regarding the WIN a FREE CEHv7 Seat. If sources are to be believed; the official announcement will be towards end of Jan 2011. Everyone is encouraged to watch EC-Council's tweets by following "eccouncil" on Twitter as one rarely finds Certification Organizations offering training and courseware absolutely free of cost. Keep watching their tweets and homepage for more details on the FREE CEH v7 Class offer