Tip

Security management in 2008: What's in store



This tip is part of SearchSecurity.com's Enterprise Security 2008 Learning Guide.

It's once again that time of year that marks the "silly season" of technology prognostications. Everyone

    Requires Free Membership to View

    Login

often likes to pretend they know exactly what the year to come will bring, but alas, few of us are ever right on the money. But that won't deter me from providing some viewpoints on what security managers should expect in 2008.

Before we dive into the future, let's take a few minutes and examine the past year. Security management in 2007 was preoccupied with compliance, specifically PCI DSS. But that makes sense, given that almost every company accepts credit cards in some way, shape or form and thus is on the hook for PCI compliance.

The sad truth is that compliance is still the engine that is running most security operations. As my brother says, "no es bueno" or that's no good. We as security professionals still struggle to show value to the rest of the organization. No one argues that preventing a major breach adds value, but how much value? Is that in sync with the amount of money invested in security? These are important questions to answer.

As we focus on 2008, the first order of business for security professionals should be implementing a structured security program that is focused on protecting what's most important to the business, setting goals and milestones to ensure accountability and communicating how and why certain security controls are implemented. The end goal is to distinctly show the value and importance of security to the operations of the business.

Unfortunately, vendors are not going to be helping in terms of making the life of a security professional easier. That's right, don't hang up your tool belt or duct tape quite yet; 2008 will bring a lot more integration of disparate tools to try to make sense of what is actually happening. Security information and event management (SIEM) will continue to disappoint as most of the vendors in that space will spend 2008 giving their products brain transplants to seem more like log management offerings.

Many organizations will play around with SaaS, trying to figure out which security management tasks can be done more effectively by someone else. This is a good thing, since internal security groups don't get a lot of leverage from doing things like tuning spam gateways or monitoring IPS logs. But the key is to create an integrated and transparent workflow that gives internal resources the "master" view of what's happening, while effectively sourcing the operational tactics to the most cost-effective provider.

Compliance is not going away in 2008. I've certainly been hoping that security professionals will focus on security, as opposed to compliance, but ultimately the need to comply with various regulations still drives IT spending and thus is a significant funding source for what infosec pros need to be accomplish and implement in the coming year.

For more information:
In this tip, security management expert Mike Rothman looks back at some of the key compliance events of 2007.

Learn the best way to comply with PCI DSS requirements 9 and 10.

A Ponemon Institute study indicates the costs associated with data breaches have soared and will continue to skyrocket.
Hopefully, security professionals will finally come to grips with the discipline that is preparing for an audit, which will result in an opportunity for vendors that provide so-called GRC products -- glorified reporting and workflow packages meant to automate the compliance process. These products allegedly automate the data gathering and reporting processes, so managers don't have to spend days (or weeks) preparing for the audits. Clearly that is a problem for security professionals that should be doing something more productive than preparing for an audit. It pains me to think that we'll need to implement yet another point product to solve a problem, but it is what it is.

Maybe for the holidays next year I'll ask for a standard reporting interface, so I can plug my security data into the organization's business intelligence software and get some real, meaningful data, but that's not going to happen in 2008, so we'll keep cobbling together whatever we can to take care of compliance in the most effective fashion.

Finally, there is one other big trend that security professionals need to get ahead of: the inevitable dismantling of the "empire." Operational security resources will be subsumed into other IT operational groups. The network security folks will move into the networking group. Database security? Right, that goes onto the DBA team, which is within the data center group.

The idea of not having an empire is a nightmare for chief security officers (CSOs), but the job of security is all about persuasion now. Successful practitioners are those who become the shepherds of the security program. They'll need to communicate what needs to be protected and how it should be protected. Then comes the hard work of convincing operational colleagues to invest the proper time, resources and money in providing that protection.

The security manager in 2008 is as much a cheerleader as anything else. He/she will need to constantly reinforce the security awareness training messages and will have no choice but to lead by example.


Enterprise Security 2008 Learning Guide
  Malware trends suggest new twists on old tricks
  Addressing VoIP and virtualization
  Assessing access management
  Building trust into the application development process
  Security management in 2008: What's in store
About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

This was first published in January 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top