As we near the close of 2011, I find it instructive to look back and see just how accurate my forecasts proved to be. At the start of the year I forecast three major shifts in thinking during 2011.
Firstly, I expected that we would experience a major security incident involving the integrity of critical national infrastructure – perhaps an easy forecast, given the discovery of Stuxnet in 2010. Yet surprisingly it didn’t happen. 2011 was perhaps a lucky year for CNI managers, but many insecure legacy systems continue to survive on borrowed time.
Secondly, I forecast that emerging security technologies, based on virtualisation and trusted computing, would encourage user organisations to develop non-traditional approaches to securing enterprise infrastructure. Unfortunately, as Bill Gates pointed out, we have a tendency to overestimate what happens in the short term and underestimate what comes to pass in the longer term. Many existing solutions were found wanting in 2011, but innovative alternatives have yet to be adopted.
Thirdly, I predicted that we would finally see some action in response to the growing need to encourage small and medium enterprises to implement security. I’m pleased to say that this forecast was nearer the mark, with the launch of the ISSA-UK 5173 standard, the US Government “Small Biz Cyber Planner” and a host of vendor solutions from the likes of Qualys, Sourcefire and Dell.
I also suggested that 2011 could see the start of a revolution in security thinking, which would last for most of the next decade, a period that might prove to be a new age of enlightenment for information security. On this one I probably jumped the gun. I still believe this will likely happen, but not until next year, judging by the reaction I get from my lectures to universities and conferences.