This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
"Regulation--SOX, HIPAA, GLB, the credit card industry's PCI, the various disclosure laws, the Euro-pean Data Protection Act, whatever--has been the best stick the industry has found to beat companies over the head with. And it works," says Bruce Schneier, founder of BT Counterpane, creator of the Blowfish and Twofish algorithms, and a noted author and speaker. "Regulation forces companies to take security more seriously, and sells more products and services."
The ChoicePoint debacle kicked off the data breach era in 2005, and hundreds of millions of lost records later, companies have state data breach notification laws to comply with, credit card standards to adhere to, and industry-specific regulations to watch. Security and risk must work in concert, forcing IT security to emerge from clichéd basement hideouts, and often sit alongside business units in order to learn how to best tailor protections to satisfy not only management, but auditors.
"Legislation demonstrates a failure of the information security community in meeting its responsibilities and requirements," Parker says. "An analogy is the seat belt problem in cars--we had to have laws to put them in cars and use them. A similar situation, only on a grander scale, has occurred in information security. We're shifting objectives in information security from attempts to reduce risk to attempts to meet
| compliance with law. That's a sad commentary on information security."
As we hit the end of this decade, and look to the start of Information Security's next 10 years, we see security duties being absorbed more and more by networking groups. Security technology is being baked into infrastructure like routers and switches, and big vendors like Cisco, IBM, HP and EMC are scooping up important security technologies. Stand-alone security vendors, no matter how innovative, are sitting ducks for acquisition. Compliance is going to be a perpetual issue for security managers, and overall risk management is slowly superseding the role of the CISO.
Amoroso, for one, predicts that in 10 years, security as we know it today will be gone.
"We'll look back on this five to 10 years from now and say this was the era when we overlaid security onto networks and systems, and I think we already have learned that's a flawed model," Amoroso says. "It doesn't make sense to design a network and then build security onto it or run a network where security components are separate. That's silly."
This was first published in January 2008