Trends in Information Security
I found myself thinking some “big sky” thoughts about trends in information security recently. Here they are.
- The Business of Information Security
- The Internet Economy
- Governance, Risk and Compliance
- The Hunt for the Information Security Bullet is Ending
- The Whole Solution Movement
- Convergence and Integration
- The World is Flattening
The Business of Information Security
As the new breed of information security managers are taking a new look and a fresh approach at how to manage the information security domain, established business management techniques that have been successfully applied to other business domains are now being considered and adopted. These include Balanced Scorecards and Six Sigma. The failure of tactical solutions and the pace of change of the business environment have forced people to step back and reassess current methods of managing information security. I think the “business of information security” is on the rise.
The Internet Economy
Chris Anderson’s book The Long Tail[1] has been credited as a compelling economic theory to explain phenomena such as the rise of the social network platforms like Facebook and MySpace, music distribution like iTunes and e-commerce like Amazon. The Long Tail theory has wide implications; one is based around there being more total demand from large numbers of unique products (that in themselves would have a small demand) rather than a small number of products that each has a large demand. The implications of the Long Tail extend far beyond mass consumer technologies and into business software. I believe that information security itself closely follows long tail economics. No two companies risk profiles, business needs or solution sets will ever be the same.
Three facts support this statement;
- every business has multiple processes
- processes that are similar in name between business are actually highly customized
- there is a large number of processes unique to small clusters of users
This means that there is an explosion of process problems to solve.
I plan to write a detailed long post about the Long Tail of Information Security next.
That post can now be found here. Part 1 and Part 2.
Governance Risk and Compliance
Business failure resulting from a lack of general operational controls has become a familiar story. We have seen many text-book examples like Barings Bank and Enron. Governments and industry bodies have responded with tough regulations to reduce the risk and impose both rules and by implication a compliance culture. An entire industry has grown around governance, risk and compliance (GRC). SAP, Oracle, IBM and Microsoft are all readying solutions for this general space focusing on regulations such as Sarbanes Oxley.
In the big picture business failure as a result of information security has been less prevalent to date but recent examples like the TJX credit card exposure [2]has focused business attention. To many in the industry this is nothing new; information security regulations like those issued by the SEC and FFIEC have been around for many years but the backwash from Sarbanes Oxley (SOX) and the direct waves of the Payment Card industry Data Security Standard (PCI DSS) have refocused attention. Of course the problem is only going to get worse with more regulations and rules governing how to do business arriving by the month. From the very top of organizations down, people are now asking or being asked if their company is doing the right thing and meeting the criteria set out in the regulations. Not only do they have to answer the question but they need to answer with a reasonable degree of confidence in their answer.
As the compliance culture has emerged, there has been resurgence in the interest in technology governance. Frameworks such as the IT Infrastructure Library (ITIL) and the Control Objectives for Information and Related Technology (COBIT) have seen widespread adoption. While security is touched upon it is not a deep discipline in these frameworks. I expect this to change.
The Hunt for an Information Security Silver Bullet is Ending
The information security industry has evolved fast and is now produces a glittering array of technology. In many camps hope was placed that silver bullets (a nickname for a single all purpose technology) would solve broad swaths of problems. For example Digital Rights Management (DRM) and Data Leakage Protection (DLP) software would keep secrets from being sent outside of company walls and application firewalls would mean business could continue to write insecure software and just patch it after deployment. As the infamous quote goes “if you think technology is the solution then you don’t understand the problem”. Application security firewalls can only protect from a small portion of web application vulnerabilities and data has more routes from a company than a PC has interfaces (see Whole Solution Movement below).
Modern information security professionals and especially business managers do understand the problem and the sun is setting on the hunt for the silver bullet. These security technologies of course all have an important role to play in whole solutions but glue is needed to connect them to people and process.
Whole Solution Movement
As people rationalize that security technology is just one piece of the puzzle (albeit a very important one) a movement is afoot. That movement is for people to demand and create whole solutions. A whole solution looks at the entire scope of the problem and pieces together a solution using a variety of products, services and techniques. Whole solutions are needed to meet the complex demands of governance, risk and compliance.
This can be illustrated in the following example. A retail bank manager was recently overheard saying that he had a forensic audit team in his branch office. The bank had a procedure where any bank paperwork must be placed into a secure paper bin and taken away by specialize disposal service to comply with the UK Data Protection Act. It seems someone left some paper in the kitchen, the cleaner put it in the bin, and the scavengers went through the bins and sold it to the press. This type of story is all too common place. A whole solution needs to consider these scenarios and not just focus on digital media or data traveling across a network. Companies understand that data leakage extends far beyond USB sticks. To date solution vendors don’t.
Convergence and Integration
Convergence is a hot topic with typical water-cooler conversations like “Do we need Chief Security Officers (CSO’s) or Chief Information Security Officers (CISO’s)?” What we are really seeing is a trend that is far larger than a discussion about the span of control between physical and virtual security. Information security touches systems and business functions across the board.
As an example the markets in financial instruments directive (MIFID) comes into effect in the UK in 2007. Among other things MIFID requires companies to be able to prove and record which people had access to and indeed touched which systems at what time under what is called their “best execution” principles. This is obviously a complex issue where solutions will requires integration with identity management systems, event logs and software applications. Integration into human resources systems such as PeopleSoft to ensure employees have signed and accepted policies; integration into legal document repositories like Documentum or Interwoven to ensure a copy of signed policy documents is stored and integration of incident management into company-wide helpdesks and ticketing systems are all needed.
I think Information security is converging with business and operational risk.
The World is Flattening
Outsourcing is clearly here to stay yet it is fair to say most large companies have yet to really understand and manage their information security risks associated with the business model. I see outsourcing information security as a huge opportunity to large companies but a complex problem to address.
Today when you call a 1-800 or other free phone customer service number you may be seamlessly routed to a call center across the world. I envisage a time soon when an intrusion detection system or vulnerability management system may automatically route an issue to be dealt with in the most effective way (cost, quality or speed) for the company.
[1] Chris Anderson, The Long Tail: Why the Future of Business Is Selling Less of More, Hyperion (2006)
[2] http://www.informationweek.com/showArticle.jhtml?articleID=196902075
August 6, 2007 at 3:15 pm
Yes, I agree with you , especially with your flattening of the world. Definitely security work, whether it is IT Technicians or security officers watching video screens , can be outsourced to countries like the Philippines or India. Security measures will be commonplace, and outsourcing will be the only way to go.
August 6, 2007 at 9:00 pm
not to be a jerk or anything, but i also see a trend in information security. the “old guard” is dying out and retiring. cso’s that are 100 years old are finally throwing in the towel – especially now that they have no idea why firewalls aren’t working as a defense anymore.
The Business of Information Security
Six Sigma, Lean, KPI’s, SMART, SWOT, etc – these techniques have been around since the middle of last century. Even the Balanced Scorecard is over 10 years old. Blanchard wrote about this sort of stuff in the early 80’s and Covey in the early 90’s. It’s nothing new – it’s just that old habits die hard.
The Internet Economy
I wonder if the long tail has been applied to brick and mortar companies for years? I’ve seen middlemen take advantage of various supply chains and insert themselves into the process where they can make vast amounts of riches based on these sorts of economic models. Only now they are focused on the consumer. It would be interesting to see the Long Tail applied to Japanese markets – is that topic included in the book? I’m going to have to order myself a copy on audible.com
Governance Risk and Compliance
I think you have this a bit off. It’s not that people get fined small amounts of money or scolded because they aren’t compliant. It’s actually much worse than that. When the FTC or states following suit on CA SB1386 come knocking at your door because of a data breach – and they’re asking for remittance – and the number happens to be in the millions – that’s when people start changing their attitudes towards not only compliance, but also security management in general.
I often hear people say that the chance of getting into the media or on an FTC list due to a data breach (or Enron style mis-management) is low. I’ve heard them say “it’s like rolling the dice – and our business is willing to fight these odds”. When it used to be that only CardSystems and TJX had this sort of “bad luck”… CA SB1386 is making it well known that there were over 600 breaches in the past year. So everybody’s number is up sooner than later.
The Hunt for an Information Security Silver Bullet is Ending and Whole Solution Movement
With the old-guard dying/retiring out (as I mentioned first above), this is another problem to be solved. I’m hoping that we’ll see more smaller pure-plays again. I’m hoping that people will stop buying security as a brand-name. M&A just isn’t going to cut it anymore. There needs to be real innovation. Look at Cisco – they still think they have the best security products on the market. They’ll tell you that they’re the only ones with a “whole solution”.
I think the point behind this is that you can’t “buy” security, not even in the future. Security is a process, not a product!
Convergence and Integration and The World is Flattening
Convergence/integration is good and bad depending on your organization. Some need NOC and SOC to be separate. Some need to globalize and centralize IT/Ops, including infosec. Some are going to need Application Security groups that are separate from Information Security groups. Some will need Security QA teams.
Some don’t need a security team at all. But that doesn’t mean that they don’t need to manage security or have security policies.
I also see these topics of convergence and outsourcing as highly related issues (see: building or restructuring an organization). Anton Chuvakin and I discussed some of these concepts at length earlier this year. I see huge benefit to outsourcing some security and IT/Ops administrative functions – especially since it’s difficult to “own” an IT administrator or security officer at your business when in reality some managed service company in Virginia or Texas holds most of the keys.
Some companies even lean towards outsourcing everything. This can be useful in ways described above, but I think many should be careful to use this for small, repetitive projects and tasks with the ability to pull the plug on the MSP when necessary. I’m afraid that some companies outsource way too much – especially core functionality. If you’re having growing problems – chances might be good that your MSP could be having the same issues, just compounding the problem. If you have important strategic objectives to build into the architecture and scale of your software engineering, QA testing, infrastructure, process, or operations – it’s probably best to keep these sorts of activities “in-house” while balancing/staffing your talent appropriately.
Outsourcing application development isn’t any more difficult. In fact, it appears to be a lot easier. Components usually make up a lot of the project work, and almost half of this activity can be outsourced. Again, just make sure it’s not something that is strategically tied to the business. Secure software contract annexes and testing can prevent third-party problems from occurring, and in many cases – outsourcing houses in “near-third-world” countries score better on maturity models such as CMMI than the Fortune 100 companies’ internal dev shops.
August 8, 2007 at 10:20 am
Fantastic post Mark. I found myself nodding all the way through. You’ve certainly captured what I’ve found to be the case in Europe. Maybe dre has a more US centric view?
August 8, 2007 at 1:54 pm
Dre
Thanks. This is great feedback and really appreciated.
I think you are rght, the old guard is changing. Thats a great new blog post, “They are changing the guard at the Internet Palace”
On the biz of info sec nothing is new you are dead right. Its just taking a long time for people to apply sound business management to info sec. Poeple have been able to get away with claiming its neithe art nor science for too long and as a result sit in the middle in no mans land.
Internet economy – Japneese markets? Not sure I saw anything. I have written two posts about it since.
Silver Bullet – Agreed but it seems that we will always have this cycle of new solutions claiming to solve the issue. Its a case of software is a scalable business and services isnt so few people will ever want to really adopt both and make a whole soution from it. The margins of software are just too good!
August 8, 2007 at 1:56 pm
Rob
Hi Rob and thanks for the comment. I am glad you liked it. Hopefully you liked my long tail posts as well.
August 8, 2007 at 8:53 pm
I certainly did. I’ve actually been speaking about it today. The thing about all of these posts is they seem obvious once you’ve read them, but no-one else has actually pointed any of it out. Without wanting to sound like I’m kissing up, that’s proper genius in my book.
I’m so taken by the long tail of security in fact that I think we will get to a stage where everyone talks about it, but no-one will remember exactly who first coined it. I think you’d better stake your claim quick!
The real question now of course is how do we address it?
August 9, 2007 at 7:36 am
Do make sure you read the book. I don’t do it justice. Take a look at
http://securitybuddha.com/?s=security+next.0
Obviously not much detail for a reason (I am betting my life on this) but I think this is what is needed. I honestly don’t know if I can bring it to market but I do expect to have some concrete news by the end of Sept at the latest.
August 9, 2007 at 4:52 pm
[...] Trends in Information Security « Mark Curphey – SecurityBuddha.com [...]
August 9, 2007 at 7:56 pm
You’re being very enigmatic here… go on, tell us what you’re doing! What’s your shovel?
This is my take on Web2.0 security: http://robnewby.blogspot.com/2007/08/long-tail-security-analogy.html
I’d be really interested to hear more about whatever it is you’re up to, and if there’s anything I can do to help, you have my email address, don’t hesitate to get in touch.
Where can I get shares?
August 10, 2007 at 6:53 am
All in god time my man! I am juggling a few balls right now
The points you highlight in your web 2.0 post bring up some interesting challenges around mashups in general. There has been some good presedence set in the past in building wth components and in general most of the decent mashable data sources define their interface well enough to be able to reply in it. That said when we start building systems that have a requirement of reliability we will need contracts (not contract first development but real legal ones) and this maybe a barrier to many of these things going from idea to reality.
You have inspired me for another long tail post later today!
August 10, 2007 at 1:06 pm
Looking forward to it.
You’re now #1 on my blog roll.
Enjoy the fame and fortune it brings you.