January 5, 2007 4:00 AM PST
Perspective: 10 things to know about info security in '07
See all Perspectives
- Related Stories
-
New year brings familiar security threats
January 3, 2007 -
Year in review: Data still the golden goose
December 27, 2006 -
Senator: Expect data privacy and patent law rewrite
December 13, 2006 -
The A to Z of security
November 27, 2006 -
Is Vista security a selling point?
November 20, 2006 -
Microsoft security chief looks beyond Vista
June 13, 2006
Nevertheless, the holidays have come and gone and it is thus time to take a stab at forecasting what to expect in information security over the next 12 months.
1. More privacy legislation
Now that the midterm elections are behind us, the folks in Washington will take a break from spending our money and focus on protecting our money. Democrats like Sens. Chuck Schumer of New York and Dianne Feinstein of California love this issue anyway and it makes good press--who wouldn't be in favor of cyber-protection for their constituencies? Look for a lot of grandstanding early in the year followed by the passing of a new data privacy bill sometime in the fall.
2. Data governance
Total data capacity continues to grow around 50 percent annually, but few companies do a good job at classifying data, tracking its movement or monitoring/enforcing privacy policies. This is the most obvious reason why there are so many data breaches so often--no one has any idea of what is stored where. Rather than address this with tactical point tools, look for large organizations to get serious about data governance this year. This will drive lots of large professional services work and further industry consolidation as the EMCs, IBMs and Symantecs of the world scoop up specialists like Liquid Machines, Vericept and Reconnex.
3. IT risk management
As security becomes less tactical and gains a business/enterprise orientation, information security will morph into an evolving category called IT risk. More firms will create chief IT risk officer positions who manage system availability, performance management, disaster recovery, backup/restore, information security and IT's contribution to regulatory/industry compliance. Look for more adoption of IT governance models like ITIL/ITSM, CoBiT and NIST-800 series to dovetail from the IT risk management trend.
4. Secure software development
By the end of 2007, many enterprises will mandate that their independent software vendors and outsourcers have formal demonstrable processes for software development, similar to Microsoft's Security Development Lifecycle (SDL). Reactive software vendors will scramble to establish these processes while professional services organizations like Symantec (@Stake) that focus in this area will suddenly have more work than they could have ever imagined.
5. Encryption everywhere
PCI and new privacy regulation will act as the hammer, but there will be more and more encryption solutions coming from the industry. New databases have row level encryption baked in as do disk and tape drives from vendors like Seagate, IBM and Sun. Windows Vista BitLocker will also drive mass encryption deployment as it gains momentum throughout the year. By 2008, encrypting data won't be as big a deal. Alternatively, encryption key and policy management will become a huge issue overnight.
6. Network reconstruction
Network upgrades are ongoing, but the Y2K-like IPv6 upgrade process will take off in 2007 driving major network overhauls. Next-generation networking equipment will include security features like access controls, application-layer filtering and multilayered encryption in its design point. So expect vendors like Enterasys Networks, Extreme Networks, Hewlett-Packard and Juniper Networks to try to trump Cisco Systems by flexing more and more security muscle.
7. Security management
While growing, this is an extremely immature market as evidenced by the fact that a VC-backed start-up like ArcSight is still the market leader. The tables will turn in this year as Cisco, EMC, IBM, Novell and others look to leverage their recent acquisitions. Look for the big guys to bolster professional services in this area and add network behavior anomaly players like Mazu Networks and Q1 Labs to round out their portfolios. By the end of the decade, security management will slowly and quietly become a component of network operations.
8. Fire sales and failures
In 2007, VC-backed companies like ArcSight, Fortinet and Webroot Software have their backs to the wall. Each has done relatively well in the market, but these guys raised tons of money and there is not a profitable exit strategy in sight. For example, Webroot raised more than $100 million in funding and its main product has become a feature in Kaspersky Lab, McAfee and Zone desktop security. Yikes! With the competitive heat rising rapidly, look for a VC tag sale this year or Chapter 11 declarations next year.
9. Microsoft gains security respect
I know I'll take some heat for this one but by 2008, many security professionals will stop their incessant bad-mouthing of Microsoft. Why? Products like Forefront and Windows Vista will open a lot of eyes, but Microsoft will also provide a well-integrated security alternative, especially for small and midsize businesses. By 2008, Rodney Dangerfield will have to find a new information security home. I hear Redwood Shores is available.
10. Identity management plods along
This sector is also due for explosive growth. Government initiatives (think HSPD12), new device types and extranet applications are driving demand, while standards (SAML, 802.1x), smart new technologies like the Trusted Platform Module (TPM), and industry consolidation have reinvigorated suppliers. Slowly but surely, identity integration is getting easier, too. This means that projects can be streamlined with fewer dollars going to fat-cat system integrators like Accenture.
Many of these trends are net positives for the information security world. Despite this, we are likely to see some spectacular breaches in 2007 as well.
Biography
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.
See more CNET content tagged:
information security,
professional services,
information technology,
encryption,
security
The 4th Amendment (not that they pay any attention to it but..) it states we are to be secure in our "persons, houses, papers, and effects" against "unreasonable searches and seizures".
Just as government needs a warrant to search your rented gym locker so must they have a warrant to search your Yahoo inbox folder.
We need to tell George Bush he does not have a right to search without a warrant and it doesn't matter what type of terrorist activity they are investigating. The reason never trumps your right to be secure in your effects. They need a warrant always EVERY single time.
If they want to write specific laws reinforcing that, its ok by me but I just wish they would respect the laws they have.. and stop trying to find "ways around" the constitution.. it means what it says.
1) ...that Vista will have few to no exploitable holes. Not likely given its size and complexity.
2) ...that MSFT is actually proactive on patching and stays as such.
3) ...that things like DRM and other user-directed restrictions don't force users to compromise their own security (via disabling, underground patches and the like) just to run their stuff (be it custom apps, media, what-have-you).
4) ...that #3 doesn't begin to happen at the corporate level, for the same reasons.
Kudos to them for actually doing something, but IMHO the things they do will have to be effective before they lose the security risk stigma that they have rightfully earned over the years.
/P
(* ROFLOL *)
Personally I wouldn't stake anybody's reputation on that... well... except Microsoft's... (* ROFLOL *)
They have TOO MUCH to do and TOO LITTLE time to do it in. 2008 is only a year away, but it's going to take them at least 5-10 years before they can clean up the title they've earned over the past 20 years.
Walt
Let's see some Ronseal security!