It's the holiday season, and that means it's time for all of those pundits out there to start gazing into their crystal balls and figuring out what's going to happen in the coming 12 months. I'm a pundit, too, and given the amount of change in the information security business over the past 12 months, 2008 is sure to be eventful.
The old adage for information security professionals is that we want our days to be "uneventful." A good day is a day where nothing happens. So the amount of turmoil in 2007 was certainly unwelcome. But before we delve into the future, let's take a quick look at what happened in 2007. It can be summed up in three words: TJX, PCI and bots.
The bad guys (and gals) have been focused almost exclusively on stealing private information, which was readily apparent when the true depth of The TJX Cos.' data breach came to light early in the year. It's likely that more than 100 million customers will have been compromised, and the ramifications to the banks and retailers will be felt for years to come. You can't mention TJX without discussing the Payment Card Industry (PCI) standard, either. The depth of the TJX breach is positioned to give some teeth to the PCI regulation. We'll talk about that more later.
Finally, 2007 will be remembered as the year of the bot. These compromised machines have been doing the dirty work of the organized cybercrime rings all year. So the objective now is to not just steal personal information, but also to turn the machine into a drone that sends spam, launches denial-of-service attacks and tries to compromise other machines virally.
So let's jump into 10 information security issues I think midmarket technologists need to think about in 2008:
1. Users are still the weakest link: In 2008 midmarket firms should start to realize that users are the last line of defense and focus on security education to keep them from continuing to do stupid things.
2. Web apps provide the path of least resistance: With 70% to 80% of new attacks already being targeted at the application layer, the difficulty in actually securing those applications comes to light. Midmarket companies need to watch their applications carefully because there is no telling when a new exploit will emerge.
3. PCI becomes real: As discussed relative to the TJX data breach, the banks and credit card processors should become a lot more serious about making sure midmarket retailers keep private data private.
4. Endpoint security integration simplifies desktop defense: Midmarket folks will finally have enough of the multitude of agents that run on the desktop and don't seem to keep them secure. So the idea of an integrated agent that provides multiple security functions is very interesting.
5. Security services become a real option: With Google offering Postini email security services as part of its Google Apps Premium offering, managed security services will start to hit the masses.
6. Network access control (NAC) is still a disappointment: Midmarket companies will be a couple of years behind large enterprises in rebuilding their campus networks in a more secure fashion. Yet all midmarket companies will hear in 2008 is how important it is to think about NAC right now.
7. Information security management doesn't get better: Midmarket IT manages will continue to be perplexed about what's happening in their environments. Security information management is still a bust for midmarket customers, although log management is an area for further investigation.
We can certainly hope for an uneventful 2008, but the odds of that aren't good.
8. Midmarket firms look to "poor man's DLP" to address data leakage: As opposed to worrying about a full, broad data leak protection suite, midmarket CIOs will look to build in capabilities of their Web filtering and email security offerings to look for Social Security numbers and other private data.
9. The perimeter continues to erode: With more mobility and increasing business process integration, midmarket companies continue to struggle in defining who is actually supposed to be on the network at any given time. So security must continue to move further into the network and start focusing on protecting data.
10. Disk encryption happens: Given the impact of continuing to lose laptops with private data, midmarket companies will increasingly just start encrypting laptops with whole disk encryption products. Over time this capability settles into the endpoint security suite, but not until 2009.
We can certainly hope for an uneventful 2008 in information security, but the odds of that aren't good. Thus, midmarket security professionals must continue to focus on closing off their most exposed flanks and trying to stay one step ahead of the bad guys.
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com.