2010- A Security Odyssey

As yet another year draws to a close, it's natural for any industry to glance back over the past 12 months and then wonder what the future holds. For IT security professionals, 2009 has been a year of manipulating constricted budgets to properly secure the enterprise against an ever-expanding network of threats.

Virtualisation and cloud computing have well and truly exploded, bringing with them a fresh breed of nasties for businesses to fend off. Compliance initiatives have continued to dominate our radars, especially in the credit card and online banking spaces where the challenge of securing customers' electronic data has become a major focus in the boardroom.

In an effort to be one step ahead of whatever is on the horizon, it's time to start asking what's in store for 2010. Here are three predictions based on my discussions with customers out in security land: 

1. The slow rise of automated fraud detection
As financial institutions face ever more devious threats, automated fraud detection has been positioned as the next big thing. While it makes sense to automate information-gathering and event responses where possible, the technology is still too complex to be effective.

Part of the challenge is a lack of integration between security technology and processes. Fraud is typified by a complicated set of activities that cross many different elements of the organisation. The effectiveness of automated fraud detection programs is still a few years away because security programs lack the necessary maturity and information flow between technologies and operational silos.

I see more immediate value in the ability to monitor abnormal activity from privileged users, which could signify a potential breach.

2. Keeping your data secure AND accessible
The second trend that will continue into 2010 is the focus on securing critical data and the need to ensure the availability of that data to support business operations. Organisations have become very concerned with the security of large database management systems. These databases often hold particularly sensitive data, and require highly-specialised Database Activity Management technologies to administer and audit their access.

Protecting critical data, such as customer information, from being exposed in a breach has become the number one priority for organisations, and that will continue to be a main concern. Government legislation, industry mandates, and corporate best-practices all demand a data-centric and integrated security program. The real challenge for security teams over the coming year is how to take their existing investment in a broad range of security technologies and build a defence around sensitive, and therefore valuable, data stores.

3. More to compliance than security

Nearly every organisation is faced with the pressure of regulatory compliance. This is forcing security teams to provide far greater visibility into organisational risk, and for a larger number of stakeholders, than ever before.  There are more and more people within the business who now expect to see the results of the security team's efforts in a form that is easy to understand. In 2010, this expectation will continue to drive a need for greater capabilities to measure risk and exposure, and to be able present that information in layman's terms to stakeholders, particularly board members.

The challenge here is that board members see this investment and expect the money spent to benefit the business overall; they equate compliance success with good security. As security teams strive to demonstrate compliance to regulators and business stakeholders, they will also have to educate senior executives about the reality of security as an ongoing process. Technology and its threats evolve at such a rapid pace that a part of your network that's secure today could easily be at risk tomorrow.

Onwards and upwards
These three predictions are intrinsically linked: in 2010 database security will be the defining goal of security and compliance teams. The visibility of breaches has reached the highest levels of the organisation, and the desire to avoid costly and embarrassing data violations has become something that everyone, from the CEO down, now takes seriously.

Data is the lifeblood of global businesses, and the costs of breaches are simply too high - we will have to adapt to a more managed, policy-driven and secure workplace. While 2009 was a year devoted to the security of newer technologies such as cloud computing, we should anticipate that the coming year will focus on the processes and policies surrounding data security and compliance. From awareness training, to policies on mobile computing, to greater scrutiny of user activity - process-driven security strategies will be key to protecting the reputation and 'crown jewels' of every enterprise.

David Bell is a Systems Engineer at NetIQ.