This tip is part of SearchSecurity.com's Enterprise Security 2008 Learning Guide.
It's once again that time of year that marks the "silly season" of technology prognostications. Everyone often likes to pretend they know exactly what the year to come will bring, but alas, few of us are ever right on the money. But that won't deter me from providing some viewpoints on what security managers should expect in 2008.
Before we dive into the future, let's take a few minutes and examine the past year. Security management in 2007 was preoccupied with compliance, specifically PCI DSS. But that makes sense, given that almost every company accepts credit cards in some way, shape or form and thus is on the hook for PCI compliance.
The sad truth is that compliance is still the engine that is running most security operations. As my brother says, "no es bueno" or that's no good. We as security professionals still struggle to show value to the rest of the organization. No one argues that preventing a major breach adds value, but how much value? Is that in sync with the amount of money invested in security? These are important questions to answer.
As we focus on 2008, the first order of business for security professionals should be implementing a structured security program that is focused on protecting what's most important to the business, setting goals and milestones to ensure accountability and communicating how and why certain security controls are implemented. The end goal is to distinctly show the value and importance of security to the operations of the business.
Unfortunately, vendors are not going to be helping in terms of making the life of a security professional easier. That's right, don't hang up your tool belt or duct tape quite yet; 2008 will bring a lot more integration of disparate tools to try to make sense of what is actually happening. Security information and event management (SIEM) will continue to disappoint as most of the vendors in that space will spend 2008 giving their products brain transplants to seem more like log management offerings.
Many organizations will play around with SaaS, trying to figure out which security management tasks can be done more effectively by someone else. This is a good thing, since internal security groups don't get a lot of leverage from doing things like tuning spam gateways or monitoring IPS logs. But the key is to create an integrated and transparent workflow that gives internal resources the "master" view of what's happening, while effectively sourcing the operational tactics to the most cost-effective provider.
Compliance is not going away in 2008. I've certainly been hoping that security professionals will focus on security, as opposed to compliance, but ultimately the need to comply with various regulations still drives IT spending and thus is a significant funding source for what infosec pros need to be accomplish and implement in the coming year.
Maybe for the holidays next year I'll ask for a standard reporting interface, so I can plug my security data into the organization's business intelligence software and get some real, meaningful data, but that's not going to happen in 2008, so we'll keep cobbling together whatever we can to take care of compliance in the most effective fashion.
Finally, there is one other big trend that security professionals need to get ahead of: the inevitable dismantling of the "empire." Operational security resources will be subsumed into other IT operational groups. The network security folks will move into the networking group. Database security? Right, that goes onto the DBA team, which is within the data center group.
The idea of not having an empire is a nightmare for chief security officers (CSOs), but the job of security is all about persuasion now. Successful practitioners are those who become the shepherds of the security program. They'll need to communicate what needs to be protected and how it should be protected. Then comes the hard work of convincing operational colleagues to invest the proper time, resources and money in providing that protection.
The security manager in 2008 is as much a cheerleader as anything else. He/she will need to constantly reinforce the security awareness training messages and will have no choice but to lead by example.
About the author:
Enterprise Security 2008 Learning Guide
Malware trends suggest new twists on old tricks
Addressing VoIP and virtualization
Assessing access management
Building trust into the application development process
Security management in 2008: What's in store
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.