Prognostication Time!

Filed by Alex | 5 comments


  • My top 10 predictions for the 2007 Security/Risk Management Scene!

    1.) The NAC market doesn’t consolidate just yet, but…

    The writing is on the wall for many vendors. Those that aren’t generating positive cash flow right now are going to have trouble existing in 2008. Also, "consolidate" is a nice word for what will happen. I don’t really know how many NAC vendors there are (12?) but for the most part only 3, maybe 4 independents will be around by EOY 2008. What ought to scare NAC vendors is that the exit strategies for the other 9 or so isn’t going to be "purchased by Cisco (Checkpoint, Nortel, whomever)."

    2.) Metric efforts (mostly) disappoint.

    Those companies without a good framework for Risk and Risk Management will focus on what they can empirically measure - performance or compliance metrics. These will be of some value, but don’t really help IRM groups communicate current state or even come up with a good desired state.

    3.) Checklist approaches proliferate, esp. the ISO

    It’s easier to spend budget stupidly than to spend it wisely. It’s also easier to proudly announce to senior management that, "We’re in Compliance!" than "We’re Effective!" No risk framework, no metrics = making sure that there’s no dust underneath the raised floor in the server room 4 times a year. Hooray!

    4.) The shift of "soft skills" from CIO to CRO continues.

    But in those organizations that have already moved the CISO away from "hard skills" IT Security the pendulum will start to swing back due to catastrophic internal political failures.

    5.) RSS "Threats"

    Because the technology is built into Vista and IE and Outlook, RSS in the enterprise becomes just as "scary" (in the FUD sense) as personal web surfing and email. One or two "threats" are over-hyped to sell products or product upgrades.

    6.) The Battle of the Desktop

    Speaking of IE 7 and Vista, The big Non-Issue that grabs the headlines this year in the trade rags thanks to advertising dollars is "Who You Should Be Buying Your Desktop Security From." This battle between Microsoft and traditional vendors is already off to a hyped start, but should peak this summer in time for the 2008 budget cycle. In the independent blogosphere, no one will really care outside of one or two of us writing about how silly it all is. By 2008 Microsoft will announce their intention to build desktop security services into the next OS release as a "free service" but only as a means to hurt the stock prices of their competitors and spur adoption of their current pay-for offerings ("you’re going to have to switch to Microsoft anti-malware at some point in the future, so why not get the ball rolling now?"). We don’t actually see free anti-malware service from Microsoft until at least 2010.

    7.) Why You Should Buy Vista

    More Vista: There will be an independent TCO study that shows the security features of Vista make it well worth the price of Vista and upgrading your hardware. OK, this one is a softball, I know.

    8.) No real changes in HIPAA and SOX legislation will be enacted by Congress.

    These issues are fraught with politically dangerous waters thick with the pirate ships of Special Interest Groups - so Congress will wait for 2009 when both parties hope to have a majority and the White House. Oddly enough in ‘09 it will be the Democrats that relax government bureaucracy (SOX) on corporations. HIPAA may be given some "teeth" in ‘07 - by a means that doesn’t require a major act of legislation - but just so we can see a token fine or two handed out. Still, for the most part, the "threat" (sic) of HIPAA compliance losses will continue to be a non-issue for CISO’s.

    9.) Cyberterrorism remains only the dream of bad guys and FUD pushers.

    But because PCI has peaked, the HIPAA emperor has no clothes and GLBA is a battle already fought by vendors - NERC/SCADA becomes the next target for security boutiques looking for a compliance niche. They’re largely unsuccessful in making any real money there.

    9a.) US Government Risk Management efforts continue to be massive failures.

    This is such a softball I won’t call it a prediction, but it is related to the above.

    10.) Application Security is Hard

    Application Security remains the most important control consideration for IT Security and Risk Management, but continues to receive too little emphasis in the SMB market due to the complexity and price of developing secure applications.

    So let’s play a game of "blog tag":

    Mike Murray

    Mike Rothman

    Andrew Jaquith

    Amrit Williams

    Rich Mogull

    TAG!!!

    How about your 10 Predictions for ‘07? What are they? An OS X Virus? XSS? Data "leakage" efforts? Let us know!

    Posted on December 14

    • 5 comments

    1. Mike Rothman Dec 14

      My 2007 Incites will appear in early January. Too busy and focused on getting the book over the finish line. Though between Xmas and New Years I’ll be putting the wrap on my 2006 Incites. Sorry Alex, you’ll just have to wait until then to find out what I’m thinking for 2007.

    2. Alex Dec 14

      Aw, Mike! I said Prognostication, not procrastination!

      Just kidding. I know you’re busy and for good cause. Just thought I’d give you a topic to blog about.

    3. Mike Jul 24

      I have just came across one website which provides a wonderful tool to comply with regulatory authority like HIPAA and it also helps in complying with many other regulations also. A crosswalk matrix poster between different regulations, a very useful tool for compliance team and risk management office. This poster is crosswalk between: ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada). http://www.compliancehome.com/symantec/

    1. Security Prediction 2007: The year security becomes irrelevant! « Observations of digitally enlightened mind
    2. Jeff Jones Security Blog : (Belated) Security Predictions for 2007

    Leave a reply