Home > Uncategorized > Information Security Predictions for 2010

Information Security Predictions for 2010

It’s 2010 now, and as I’ve done in the past, I’m going to make a few predictions concerning information security-related events and changes that I believe will occur in 2010.

First, I predict that at least one data security breach that is bigger than the Heartland Payment Systems incident in terms of the amount of personally identifiable information (PII) compromised and money lost will occur in 2010. Financially-motivated perpetrators know that there is far more money to be made from their sordid activity then they have been making (and many of them are already making millions of US dollars annually). They have been advancing and perfecting their attack methods for years. In contrast, most organizations continue to devote pathetically few resources to mitigating security-related risks. Worse incidents than the one Heartland experienced are thus inevitable.

Second, I predict that blended threats will continue to increase in prevalence and magnitude. The train bombing in Madrid several years ago was a classic example of a blended threat where the phone system and explosives were used in conjunction with each other, resulting in massive loss of human life. Lamentably, the Internet will increasingly be used in connection with terrorist activities and ironically, terrorists will use better security practices (e.g., data encryption, strong authentication, and so on) than will governments and commercial organizations. This trend will persist well beyond 2010.

Third, I predict that the Obama administration will, like the administrations before it, continue to pay lip service to cybersecurity, but will not do much about it in 2010. I am not really criticizing the current administration. It is impossible to launch and sustain too many initiatives simultaneously, and initiatives such as rescuing the economy and fighting terrorism have a much higher priority than fixing the cybersecurity problem that exists in the U.S. right now. If and when some of the major initiatives succeed, the likelihood that the President will turn more attention to cybersecurity will increase substantially, but I do not expect this to happen in 2010.

Fourth, I predict that people and organizations will continue their current trend to rush wildly into “cloud computing” and social networking without much if any thought about security considerations. Massive security incidents such as compromises of entire customer databases, prolonged disruption of critical business processes, and worm outbreaks on major social networking sites such as MySpace and FaceBook that make these sites unusable or shut them down entirely will occur in 2010.

Fifth, I predict that in 2010 the music and film industry will continue to make major advances in their war against piracy. Court rulings and legislation will give them greatly expanded power to snoop on users and force Internet service providers to turn over information about users’ usage patterns. Privacy advocacy groups will react by raising more money to fight music and film industry-initiated court cases and by increasing public awareness of excesses by these industries.

Sixth, I predict that in 2010 the PCI Consortium will tighten the PCI-DSS requirements to address current gaps resulting from the Consortium’s very information-centric approach to cardholder data security. I am not being critical of this approach—it is, after all, the most logical approach when information is the “crown jewel” that needs to be protected. But in focusing on information per se, less attention is paid to other threat vectors such as hosts that do not store, process or transmit cardholder data, but which nevertheless could be used as a pivot point to attack hosts that do. Additionally, the Consortium will mandate continuous rather than annual compliance with the PCI-DSS.

Finally, I predict that the information security job market will start to improve in 2010 primarily as the result of senior management within organizations either directly experiencing or reading about the huge and costly incidents that will occur. The improvement in the job market is likely to be preceded by increased demand for information security consultants to fill specific needs. Money for permanent hiring will then become available as the economy starts to improve. I also foresee that information security management skills and experience will be particularly sought-after; good information security management is the critical differentiator between an effective and ineffective security practice.

I could make more predictions, but after all, psychologists say people can hold only five plus or minus two chunks of information in their short term memory, and I’ve presented seven predictions. And if nothing else, I really hope that my predictions will fare better than the Gartner Group’s predictions have over the years! Only time will tell, however.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.