It’s always tricky to write about “top trends” especially in information security given that things are always in a state of flux. Yet still I can’t help but think about several key areas that you and I must keep our eyes on as we move towards the end of 2013.
The following are what I believe to be the most relevant areas impacting us as information security practitioners and the industry as a whole:
1. Government surveillance
The Edward Snowden/NSA issue has been very eye-opening. I’ve suspected all along that large ISPs and web service providers have been tracking our every move but who knew the extent of all the government weasels snooping so deeply into our private business. The thing you’ve got to be thinking about is how you’re going to protect your own organization’s intellectual property from rogue government actors that have full access? Even though it’s the opposite of what we need, I suspect that government spying and control will grow even more. “Cybersecurity” to the rescue!
2. Cloud distrust
In the aftermath of government spying, cloud service providers are taking some heat. Businesses already has their suspicions about security in the cloud. Now that we know more about how data is treated once it gets out of our hands, it’s going to be an uphill battle for cloud service providers. In fact, the Information Technology and Innovation Foundation recently estimated the loss of revenue due to these findings to be anywhere between $22 to $35 billion dollars. Furthermore, CompTIA’s new 4th Annual Trends in Cloud Computing confirmed that the main reason people avoid cloud solutions was concerns over security.
3. Mobile complexity
Not just BYOD and MDM but mobile apps as well. I truly believe that the lack of control most businesses have over mobile apps is one of the greatest risks in information security today. Be it questionable apps their users are installing at will or apps that are being developed for business reasons, there are security vulnerabilities from practically all perspectives.
4. Minimal visibility
This is not because you don’t have the information. It’s there on your network right now. The problem is a general lack of time, tools, and expertise in any given IT shop. This is not meant as a derogatory comment. I just see how the typical IT professional struggles to keep afloat with so many things going on. No single IT professional can (or should) be expected to be stay on top of everything that’s happening on his environment when he already has a full-time job doing everything else he’s responsible for. That’s why “big data analytics” is becoming so popular.
5. Getting people on our side
I still believe that getting buy-in for information security initiatives is one of the toughest obstacles we face in IT and it’s harder than ever in 2013. The new Ponemon Institute study titled The State of Risk-Based Security Management among many others each year underscores the reality that we don’t have the support that we need to be successful in security. And, based on the research and what I’m seeing in my work, it’s just as much our fault as is it anyone else’s. We have to learn to communicate well. If not, information security will be an uphill battle next year and every year thereafter.
Again, everyone has their own take on the top issues we face in information security. Each organization’s needs and risks are unique as well. One thing is clear, though: you cannot sit back and “hope” that none of these things ultimately creates or facilitates security headaches for your business. Ignore them long enough and they will.
Be a long-term thinker who can see the bigger picture. It’s when you get caught up in your day-to-day minutiae that you get caught off guard the easiest.