Security fatigue and predictions for 2009

A friend of mine, currently in the process of organising one of the hot conference events in the industry calendar for next year, was hypothesising yesterday about what the predominant information security topics will be for 2009. Quite honestly, I don’t think we’ve yet resolved to any degree any of the risks we’ve been working on mitigating since time began: malware, insecure applications and all the other things we’ve become tired of hearing about. Are we going through problem fatigue from working through a continual cycle of issues that have the same root causes?

What’s really needed are new approaches to assessing and managing risk. However, if anything is going to change for 2009 I think it’s going to be in the way that information security is being perceived. Organisations are starting to mature and seeing it less as an IT issue and more as a people subject: This is good news. There’s going to be greater emphasis on security awareness, training people how to manage data and recognise risks, teaching employees how to recognise and react to social engineering, anti-fraud controls.

Security “in the cloud”, particularly the business continuity challenges that it brings, will be one of my hot topics. So too will be outsourcing and the risks associated with third party vendors.

The fundamentals that underpin most security programs will continue to hold their ground. So, there’ll be more malware, more poorly written applications, more data being thrown around as if it were worthless, and more endless cycles of patching over other people errors. Yes, it’s been one of those days!