IANS Faculty Offers Information Security-Related Predictions for 2010

BOSTON, MA (February 16, 2010) IANS (originally the Institute for Applied Network Security), a research and membership firm serving the risk management and information security (IT) industries, today released its annual industry predictions for 2010 sourced from the IANS Faculty. The major predictions focused around tight IT budgets, increased security threats and compliance mandates, greater interest among chief executives toward security issues, as well as new technology solutions.

According to Jack Phillips, co-founder and CEO of IANS, “The IANS Faculty group now includes 40 of the strongest minds in the information security industry today. As in years past, our annual faculty predictions gathering again generated for our research clients a roadmap of what to expect over the coming 12 months.”

Budgetary Restrictions Remain With an anticipated slow economic recovery, 2010 will remain a challenging year for information security professionals who will continue to ‘do more with less.’ Over the past year software spending declined even more dramatically than during the burst of the dot-com bubble. Three factors contribute to the continued flat to declining IT budgets:

• Pressure to cut expenses to meet Wall Street’s demands for improved financial performance
• Consumer spending, which is highly reactive to bad news, tracks closely with corporate IT spending
• A slow economic recovery, which forces IT departments to manage their limited IT budget more efficiently than ever

Threats and Technology Challenges – Enterprise Applications, Outsourcing and Forensics While security threats and technical challenges will persist, several transformations in the areas of enterprise applications, outsourcing and forensics will occur. Threats such as botnets, terrorists, and insiders will become more refined, while on the technical side, the challenges related to virtualization and the difficulty patching third-party applications will remain. IT professionals will continue to deal with issues related to virtualization – compliance and audit, complexity, risk and unauthorized applications – though operating system vendors or governments are not expected to offer transformational solutions.

The status quo will not be maintained throughout the IT environment as organizations move away from the traditional Microsoft desktop (i.e. XP) to increased use of Windows 7, Apple OS X, and Google as enterprise applications. This shift will change the way companies conduct audits and analysis, and the promotion of enterprise-level changes through maturing configuration standards (Open Group, NIST, the Center for Internet Security, etc.).

The panel also noted those organizations that focus on risk tend to focus on data – how it is audited, protected and managed – and can more easily manage the transition to the virtual networked environment. The group also expects more churning around the use of security products versus outsourced security services as companies seek to shift from CAPEX to OPEX.

Finally, legal considerations are driving increased interest and need for comprehensive forensics. Much of this interest comes from industries subjected to disclosure laws, such as health care or credit cars. These organizations must disclose when data is compromised and the use of forensics is essential to preventing over- or under-disclosure of information. While the emphasis on compliance will remain, resurgence in security awareness is a predicted means of cost-effectively arming the frontline and keeping intruders off networks.

Web Application Security – A Focus in 2010 Web applications will continue as a major IT security focal point this year. The public accessibly of web applications makes it one of the most damaging originating points for IT security attacks. The panel expects regulations will expand into web application and data security, while common applications will be subjected to increased attacks throughout 2010. Challenges related to patch and vulnerability management will increase as future exploits likely focus on applications like Adobe Reader and Flash plug-ins, and zero-day attacks on high-value targets increase.

Existing Data Security Tools Used in New, Innovative Ways New usage patterns for data security tools will emerge over the coming year. No new data security technologies are anticipated, but organizations will increase technology adoption. Of particular interest:

• Data loss prevention (DLP) – not very effective when used in network mode, it is highly valuable for content discovery as it can be used with repositories or on end points
• Database activity monitoring (DAM) – useful for monitoring database information in real time and generating alerts based on policy violations, it can be used in more targeted ways such as managing security issues in detective mode, rather than in an enforcement mode which breaks business processes
• Encryption – a battle is emerging in the PCI realm between end-to-end encryption and tokenization methodologies to secure credit card information throughout the transaction lifecycle

C-Suite and Board Involvement in IT Security Due to Increased Breaches IT security is increasingly getting the attention of company executives and boards of directors due in part to cost of breaches reaching well into the seven and eight figures. As well, unlimited liability clauses are starting to appear in stock master service agreements. As boards enter the realm of information security, the IT department needs to educate them on the right information security questions, while discussions should expand to include the total cost of breaches.

Cloud Computing a Reality in the SaaS Realm, Future Less Clear for Infrastructure Solutions The panel participants believe that the IT community will benefit from viable and useful SaaS security offerings as many vendors look at SaaS as a way to distribute security products. Within the predicted onslaught of cloud security offerings this year, participants believe some will be useful, preventing security risks before they enter the corporate IT environment. SaaS products can decrease the management overhead though the cloud does not yet have many standards. The result: applications getting pushed into the cloud without much risk assessment.

Many of the panel participants suggest organizations should remain wary of infrastructure as a service (IaaS) and platform as a service (PaaS). Unlike SaaS, which is an understood model, IaaS has room for improvement. The ‘trust us or else’ mentality among companies like Google and Amazon with their cloud-based offerings works within the consumer space, but more transparency is needed with enterprise software. Opportunity exists for smaller, more nimble IaaS providers who can provide more transparency. As for PaaS, it remains a wildcard. Citrix and VMWare are currently battling to win the platform war for cloud computing.