Outgoing year 2011 has been turbulent and eventful for information security, with a number of high-profile security incidents and an increase in cyber fraud (or e-crime), and there is no indication that 2012 is going to be any different, writes Vladimir Jirasek, head of security solutions at WorldPay, and director at CSA UK & Ireland.
A list of priorities for information security professionals for the year 2012 could be split into several areas:
1. Legislative lobbying for consolidated international information security laws
The world needs less legislation, not more. Laws and regulations related to information security are the result of a silo approach by individual lobby groups. Look at data protection legislation around the world – international privacy law is so complex that even many lawyers do not understand all the implications.
When looking at pure information security standards, the field is also very fragmented. What we need is one standard for information security that will set the baseline, and then added specialised modules. For example, PCI-DSS standards could be stripped of the requirements that are common with other standards, such as ISO2700x, and the requirements specific to payment processes become a module in the ISO standard.
2. International cooperation in tackling e-crime
Cyber criminals are laughing their socks off when committing e-crime. Not only is the internet more-or-less anonymous, but also legislation complexity and bureaucracy protects them from the arm of the law. Countries needs to agree on a single law framework for cybercrime and processes to identify, capture and prosecute cybercriminals.
3. Technology to protect by default
The cause of the cybersecurity incidents lies in underlying internet and computer architecture. These were created with very little security in mind, and security controls have been added to solve problems. Look at the internet, where anonymity supports e-crime – can you imagine the same system on the roads?
Computer architecture needs to step up with the controls that make our computers trusted. Some mobile phone platforms have been very successful in this area, Microsoft's Windows Phone and Apple's iOS for example. Traditional desktop operating systems have a lot to learn from mobile platform security. Such a trusted platform would be then used for future initiatives, such as a trusted identity assistant in your pocket.
In summary, year 2012 should be the year where governments come together and simplify cybersecurity and privacy laws, and computer hardware and software companies step up their efforts to create trusted computing platforms.