What will 2011 hold for information security professionals? Last year I predicted a year of change. It did not happen. But we are incubating a major crisis: legacy systems are vulnerable; existing security technologies are breaking down; a dangerous monoculture is building; and an information tsunami is heading our way.
Today’s security solutions will not meet tomorrow’s demands. The longer we put off change, the greater the potential damage from a major incident. The security community is slow to react to a changing problem space, however, preferring gradual evolution to radical revolution. So don’t hold your breath. Nevertheless, I expect to see three major shifts in thinking during 2011.
The first is that we are likely to experience a major security incident involving the integrity of our critical national infrastructure. Not quite Die Hard 4 perhaps, but sufficient to incentivise utility companies to tackle their long-standing security vulnerabilities. Building security into the systems development cycle will need to be taken out of the “too difficult” box. The long haul towards building acceptably secure information systems will begin.
The second is that emerging new security technologies, based on virtualisation and trusted computing, will encourage user organisations to develop non-traditional approaches to securing enterprise infrastructure. Cloud computing technology will provide an opportunity to escape from the treadmill of patching physical platforms. Security will also migrate to the cloud, and previously-ignored controls, such as device authentication, will become fashionable.
The third is that the growing need to encourage small and medium enterprises to implement security will finally be tackled. ISSA-UK is leading the way with new standards and guidance. Their initiative is likely to set a much bigger ball rolling across the globe, as SMEs dominate supply chains across key supplier regions such as the Far East.
Many other things should – but will not – happen. The supply chain is likely to remain ‘the elephant in the room’. Data integrity will be a greater concern, but little will be done. The need for new skills, ranging from psychology to reverse engineering, will be debated but not addressed. The importance of the human factor will be recognised, but awareness budgets will remain low.
But 2011 will see the start of a revolution in security thinking, which will last for most of the next decade, a period that might prove to be a new age of enlightenment for information security.