If the focus of a year could be summed up in one word, the word I
would choose for 2009 is risk. Ignorance of true risk,
mismanagement of known risk, and misunderstanding of potential risk
precipitated the collapse of our global economic system.
The bad news is that it took a crisis of such great magnitude to
draw world attention to the need for effective risk management.
This newfound awareness is good news for those of us in information
security leadership. A study conducted by Price Waterhouse Coopers
on information security in 2010 revealed that the role of
information security within organizations has increased
significantly and is now widely recognized within executive ranks
as strategic to organizational health and success. It’s
about time.
What’s in store for 2010?
Renewed attention to and focus on risk is often the impetus for
significant growth in our industry. What do we see for 2010?
In terms of vulnerability, we see coordinated attacks on the rise.
These combined attacks often rely on Trojans to harvest Personally
Identifiable Information (PII) and credit card data; that data is
then exploited by people and/or social engineering tactics to steal
assets; and those assets are eventually delivered to established
drop zones for profit sharing.
Not only are threats increasing in level of sophistication, but the
degree to which malware and Trojans have permeated small businesses
has reached pandemic proportions. And large enterprises are not
immune. RSA’s anti-fraud command center in Israel reports
that not only are the number of Trojans doubling every quarter but
in a single month 60 percent of the Fortune 500 were determined to
be contaminated with Trojans from infected employee laptops.
To address this ‘pandemic,’ another transformation is
coming. Security-as-a-Service and ‘safety in the cloud’
will become central themes in 2010. Not just for large enterprises
but for small merchants as well. With regard to smaller
organizations, we will need to finally face the fact that these
operations are ill-equipped to understand, let alone stand up to,
the security required to defend against today’s attacks.
Larger organizations will face new and different challenges as they
flock to the cloud in pursuit of dramatic cost and resource
efficiencies. It is incumbent upon the information security
industry to enable that migration and ensure safety in the cloud.
In fact, the transition to the cloud can and will offer
opportunities for even better security than is possible in physical
environments given the opportunity we have to embed security
controls directly into the virtual infrastructure making those
infrastructures secure and policy aware.
As we head into 2010, renewed awareness and understanding of risk
will once again spur the industry on to new growth. Security
delivered as a service will offer protection to those who lack the
expertise and/or resources to stand up their own security
platforms.
The unique security challenges and opportunities introduced by
cloud computing will push us to match and surpass physical security
as we implement virtual infrastructures. And
information security leaders who finally have the ear of the CEO
will develop security strategies that not only identify, quantify
and mitigate risk but enable innovation and growth in the coming
decade.
Art Coviello is Executive Vice President, EMC Corporation and
President, RSA, the Security Division of EMC