Manage Learn to apply best practices and optimize your operations.

Security management in 2008: What's in store

Looking back on 2007, compliance and PCI DSS preoccupied the minds of most security management professionals. In this tip, security expert Mike Rothman outlines what information security managers can expect to be the hot management topics for the year to come and unveils how CISOs and security professionals alike can prepare for 2008.

This tip is part of's Enterprise Security 2008 Learning Guide.

It's once again that time of year that marks the "silly season" of technology prognostications. Everyone often likes to pretend they know exactly what the year to come will bring, but alas, few of us are ever right on the money. But that won't deter me from providing some viewpoints on what security managers should expect in 2008.

Before we dive into the future, let's take a few minutes and examine the past year. Security management in 2007 was preoccupied with compliance, specifically PCI DSS. But that makes sense, given that almost every company accepts credit cards in some way, shape or form and thus is on the hook for PCI compliance.

The sad truth is that compliance is still the engine that is running most security operations. As my brother says, "no es bueno" or that's no good. We as security professionals still struggle to show value to the rest of the organization. No one argues that preventing a major breach adds value, but how much value? Is that in sync with the amount of money invested in security? These are important questions to answer.

As we focus on 2008, the first order of business for security professionals should be implementing a structured security program that is focused on protecting what's most important to the business, setting goals and milestones to ensure accountability and communicating how and why certain security controls are implemented. The end goal is to distinctly show the value and importance of security to the operations of the business.

Unfortunately, vendors are not going to be helping in terms of making the life of a security professional easier. That's right, don't hang up your tool belt or duct tape quite yet; 2008 will bring a lot more integration of disparate tools to try to make sense of what is actually happening. Security information and event management (SIEM) will continue to disappoint as most of the vendors in that space will spend 2008 giving their products brain transplants to seem more like log management offerings.

Many organizations will play around with SaaS, trying to figure out which security management tasks can be done more effectively by someone else. This is a good thing, since internal security groups don't get a lot of leverage from doing things like tuning spam gateways or monitoring IPS logs. But the key is to create an integrated and transparent workflow that gives internal resources the "master" view of what's happening, while effectively sourcing the operational tactics to the most cost-effective provider.

Compliance is not going away in 2008. I've certainly been hoping that security professionals will focus on security, as opposed to compliance, but ultimately the need to comply with various regulations still drives IT spending and thus is a significant funding source for what infosec pros need to be accomplish and implement in the coming year.

For more information:
In this tip, security management expert Mike Rothman looks back at some of the key compliance events of 2007.

Learn the best way to comply with PCI DSS requirements 9 and 10.

A Ponemon Institute study indicates the costs associated with data breaches have soared and will continue to skyrocket.
Hopefully, security professionals will finally come to grips with the discipline that is preparing for an audit, which will result in an opportunity for vendors that provide so-called GRC products -- glorified reporting and workflow packages meant to automate the compliance process. These products allegedly automate the data gathering and reporting processes, so managers don't have to spend days (or weeks) preparing for the audits. Clearly that is a problem for security professionals that should be doing something more productive than preparing for an audit. It pains me to think that we'll need to implement yet another point product to solve a problem, but it is what it is.

Maybe for the holidays next year I'll ask for a standard reporting interface, so I can plug my security data into the organization's business intelligence software and get some real, meaningful data, but that's not going to happen in 2008, so we'll keep cobbling together whatever we can to take care of compliance in the most effective fashion.

Finally, there is one other big trend that security professionals need to get ahead of: the inevitable dismantling of the "empire." Operational security resources will be subsumed into other IT operational groups. The network security folks will move into the networking group. Database security? Right, that goes onto the DBA team, which is within the data center group.

The idea of not having an empire is a nightmare for chief security officers (CSOs), but the job of security is all about persuasion now. Successful practitioners are those who become the shepherds of the security program. They'll need to communicate what needs to be protected and how it should be protected. Then comes the hard work of convincing operational colleagues to invest the proper time, resources and money in providing that protection.

The security manager in 2008 is as much a cheerleader as anything else. He/she will need to constantly reinforce the security awareness training messages and will have no choice but to lead by example.

Enterprise Security 2008 Learning Guide
  Malware trends suggest new twists on old tricks
  Addressing VoIP and virtualization
  Assessing access management
  Building trust into the application development process
  Security management in 2008: What's in store
About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also's expert-in-residence on information security management. Get more information about the Pragmatic CSO at, read his blog at, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.
This was last published in January 2008

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.