Infosecurity managers have evolved beyond firewall-watchers and will reap benefits from their growth in 2007.

The security technology space has been pretty dull for the last couple of years. Does this mean that the security problem has been solved? Certainly we've seen a lot less drama on the worm front, and who worries about having their Web site hacked these days? Could it be that Windows XP with SP2 is finally so secure that we can all go home? I think not.

It's still early to declare victory in the worm wars, and, more disturbingly, there is no reason to think that the insidious threat of targeted malware is anywhere near reaching its full potential. Maybe next year someone will introduce a technology that reliably keeps out spyware, including browser plug-ins. Unless we see such a technical miracle, next year is going to be yet another year of useful, albeit boring, refinement of technology we already have.

A far more interesting story for 2007 is the growing professionalization of the security manager. We've made huge progress during the last five years, and the benefits are going to be crystal clear next year. Expectations are changing, and the bar has been permanently raised. It's no longer good enough just to patch Windows and keep an eye on the firewall--the complete picture of IT risk must be addressed. This means transcending shallow views of confidentiality towards a more mature understanding of the information infrastructure, encompassing integrity, availability and maybe even quality. Next year's security leaders will take off their blinders and develop a bigger, more holistic understanding of risk.

To some extent, it took external legal events to force us to confront the true realities of information loss. Regulatory enforcement and a growing volume of electronic discovery activities made it clear that company insiders can use computers to cause their employers significant losses. Money has been leaking out of USB ports, and it is no longer acceptable to leave 50,000 Social Security numbers sitting in the back of a taxi. We don't have time for cops-and-robbers games with teenage hackers. Instead, we'll see significantly more attention paid to the issues of data leakage and employee activities.

"Alignment with the business" is no longer just a buzz phrase--it is becoming an economically significant reality. Next year's alignment will be a two-way street: Not only are security managers learning where their firms' money comes from, but a growing number of business managers will understand the security risks that impact their business goals. After several years of diligent leadership, security managers in these organizations have not only raised awareness of security issues, but are encouraging a widespread corporate desire for active management of information risks.

Inevitably, cultural change will be accompanied by continued experimentation with organizational structure. While no reporting model can fit all organizations, it may well be that the IT department is not the best place to manage a unified approach to information risk. Next year will see more organizations moving the CISO out from under the CIO.

Realistically, the majority of organizations won't have an operationally excellent information risk program, but fortunately, most don't need such a world-class approach. Virtually every organization can be secure, and it doesn't usually require a significant long-term increase in security budget. The infosecurity profession is making significant progress. It is only for a lack of will to do better that some are still experiencing far too many security failures.

The good news from 2006 is that organizations that have a will to manage IT risk are already doing a great job of it.