IT security trends are moving away from a tactical, technical focus on IT operations to "information risk management." Bring in the consultants! The evolution toward information risk management is shaking up the way IT security works at many large organizations.
Jonathan Penn, a security analyst at Forrester Research Inc. in Cambridge, Mass., has singled out five trends in IT security that are on your chief information security officer's agenda in 2008:
- GRC: IT governance, IT risk management and IT compliance (GRC) will converge into one discipline, with greater attention paid to metrics, staffing and optimal organizational structure.
- IT security operations: As IT security technology becomes commoditized and embedded in IT infrastructure, security organizations will split into two groups: strategy teams focusing on business issues of risk management, and operational teams overseeing the technical aspects.
- Application security: Applications are a prime target for attackers because they deal with sensitive data. A "fix it when danger strikes" approach is giving way to proactive security programs that span the application lifecycle, from bright idea to operation.
- Datacentric security: In an age of many business partners, this is the mammoth effort to classify data in order to determine who gets to see it and how to protect it. This cannot be done in a vacuum and requires close communication with business leaders.
- Digital investigations, forensics and e-discovery: This can be a scary and daunting area -- especially e-discovery, in which organizations are still struggling to figure out what constitutes best practices.
Source: Forrester Research Inc. "Five Trends That Will Shape The IT Security Profession in 2008," Jonathan Penn.