As much as I want to be optimistic about the state of IT security in 2004, I can't help but think things are going to get worse before they get better. This certainly isn't for a lack of effort on behalf of enterprise security professionals. But malware writers, vendors and software providers are going to continue to make security an increasingly heinous challenge in the coming year. Meanwhile, legislators will think they're doing everyone a favor by passing vague, yet demanding security regulations.
To start with, we're going to see more blended threats that (like Blaster) combine malicious code with previously unidentified vulnerabilities. The increasing complexity and quantity of blended threats will keep security pros in reactive mode, making it difficult -– if not impossible -– to keep up with proactive mitigation techniques that are necessary in order to help secure organizations against other threats like DoS attacks, war driving, insider breaches, etc.
In reaction to the multitude of threats against our enterprise and national infrastructures, more regulations dictating security will be handed down. However, the legislation will be written and passed by politicians who keep their passwords on sticky notes under their keyboards. It won't be clear how organizations are expected to "get secure," but it will be clear what they can expect if they aren't secure when a breach occurs.
Solution providers will take this opportunity to peddle their integrated security appliances and management consoles, touting efficiency and ease of use. Their proclamations will fall on deaf ears, as organizations large and small reject the products' price tags and opt for best-of-breed technologies. Funding is hard enough to come by –- why spend it on a firewall, antivirus software, content filtering solutions, etc., to replace already installed versions that may be more effective? As for management consoles, don't get your hopes up. Say you get the funds, what then? You've got another appliance to secure, and if this one gets hacked, you're really in trouble.
Finally, we have our ever-trusty software manufacturers that can always be depended upon to secure the jobs of security pros. (Ha! What did you think I was going to say?) Microsoft will continue to make what it considers to be great strides in the area of security, but for the majority of IT admins its efforts will always be too little, too late. (And security pros have a reason to demand more.) New applications and platforms will be pirated and hacked before they hit the shelves, and those charged with securing the technologies will be racing to keep up with the bad guys.
In conclusion, more of the same -- only worse –- for security in the New Year.
FEEDBACK: Are my predictions off the mark? Let me know what you think 2004 has in store for information security.
Send your feedback to site editor Crystal Ferraro.