I’m a great believer in looking ahead at new trends in security, as well as taking a step back and assessing what’s happening around us. It’s important to do this because information security is a subject that’s in constant flux, driven by an ever-changing threat and technology landscape. We all need to keep an eye on emerging problems and check that legacy solutions are still fit for purpose.

This year, we can see the convergence of several trends that are stretching our capability and thinking in new directions. Security is always a ‘catch-up’ function as the development of solutions lags behind the problem space. Unfortunately the lack of resources and proactive developments means that we’re falling further behind, and we might not get the resources needed to get back on top. Ruthless prioritisation will be needed to survive the emerging threat landscape. The question is what should we do within our limited capabilities?  

The most visible tend is the impact of the recession, which has caused a good deal of inertia with budgets slashed and projects canned, amid a wave of restructuring that’s taken the wind out of the sails of anyone with a spark of initiative. Big programmes are out of fashion. Consolidation is the best strategy, at least for the moment. 

And consolidation takes a number of forms. We can also expect more mergers of functions, such as the trend to join up information and physical security, though the relationship is often uncomfortable. Physical security is a part of information security. Yet information security is also a part of physical security. Which is broader?  The answer is both and neither. Business priorities are what count. And this time it’s information security that’s coming out on top. It’s a different perspective from the post 9/11 climate when physical security threats suddenly hit the management agenda. 

We also have the vendor community working hard to transform the marketing pitch around their products to fall in line with the latest fashions. Last year everything became a ‘data leakage prevention’ product. This year it’s all about ‘cloud computing’. This is an important new area to get right, but we’re still a long way from understanding the risks and filling in the solution space. Securing the cloud will run and run, however, and get bigger as it dawns on enterprises that they’re losing control of their data, in an increasingly risky world in which everyone’s out to get their hands on it. But we can’t simply sit back and wait for someone else to solve the problems. Organisations will face different sets of problems. We all need to start now on developing a security strategy for cloud computing.  

There are also problems that we’ve failed to fix properly in the past such as identity management and security awareness. They remain firmly in the front of our minds but generally fall into the ‘too difficult to fix’ category. But these problems will increase in importance over the next few years. In particular the need to do more to address the human factor is becoming clearer to executive boards and business managers. We can no longer keep putting it off. The problem is that few enterprises have a decent budget and a clear idea of precisely what’s needed. You don’t need to spend a fortune, however, to get results. A lot can be done with smart, low cost interventions. 

Data breaches seem to be having less impact these days because they’re becoming all too familiar, and we now have well-rehearsed excuses for why they happen. I’ve been forecasting for many years that the next big incidents will be attacks on data integrity. It's a widespread exposure but it’s been sitting below our radar for many years. Check out my Infosecurity podcast interview for more on this. 

Putting these trends together, it’s clear that ‘more of the same’ won’t do for the future. We need a new strategy, new priorities, new defences and far greater leverage for tackling enterprise-wide (or even community-wide) problems. We need a new direction for security. And the current period of consolidation is the best time to create the necessary road map.   

In my last blog posting I mentioned the growing trend to join up information and physical security. A few people have asked me to expand on this topic. Why is it happening? Where is it happening? And is it a good thing? The short answer is that it’s an inevitable trend that will impact all organisations, with both good and bad consequences.

Personally, I’ve never been a big fan of joining up these functions. I don’t see much synergy between a technician that configures firewalls and an investigator that kicks down doors. I’ve seen such mergers tried, and I’ve seen them fail. The main problem is the combined problem space, which is far too big. Each subject area already exhibits a richness and complexity that is at the limits of practical professional development. We don’t have enough professionals today who can comfortably span the combined security spectrum. Tomorrow it will be more difficult, given the growth and the pace of change in both subjects.

But information and physical security are increasingly converging, not only in large organisations with big centralised functions, such as high street banks, but also in small enterprises with part-time focal points. The primary drivers are political ones, such as the reduction of senior management headcount and the simplification of reporting lines. It’s not about synergy of activities. Restructuring is a top-down, political process, not a bottom-up, logical exercise 

Growth in the significance of the human factor in information security breaches is also a consideration. Data breaches scare executive boards. Information security demands a high-profile education programme to help reduce losses of laptops and USB sticks. The most pressing physical security issues are now associated with the control of information and technology, rather than the guarding of buildings.

When you drill down into the subject matter, the vast majority of information and physical activities are quite separate, requiring different skills and experience. Many projects require both sets of skills, but that doesn't mean that they have to be joined up. Identity management programmes, for example, are by their nature multi-disciplinary, involving a range of stakeholders, ranging from legal to HR professionals. They don’t need to report into a single management point, though they would clearly benefit from unified direction.

In my view you can't put a 50% expert in charge. Executive boards expect security directors to be equally comfortable fielding questions about international terrorism as well as finding simple solutions for board members to access their email securely from hostile locations. You can’t get off the hook by saying “that’s for the IT department” or “I’ll need to consult one of my staff”. It simply won’t wear. 

Non-technical activities such as policy, audits, education and investigation are the areas that are most likely to benefit from being joined up. Architecture, network security and vulnerability management are far too specialist for physical security to make a substantial contribution. And major investigations and prosecutions cannot be left in the hands of armchair enthusiasts. But somehow we have to bring it all together.

In practice, information security has always been a component of physical security, and vice versa. Whichever side dominates at any one time is more a matter of politics, fashion and personality. Attempts to bring information security under physical security following 9/11 were not successful. But information security has now overtaken physical security in both visibility and importance, so it’s likely that IT professionals will increasingly take the leading role.

The combination of physical and information security provides new opportunities for converged projects, such as identity management. But they will be the prize rather than the driver of the merger. A converged security function will have greater political leverage and incident data to support new initiatives such as identity management, security monitoring and security education. These goals might not be the catalyst for the change, but they will be the serendipitous consequence.   

It’s interesting to observe that health officials have substantially lowered their earlier estimates of the number of people who might die this winter from swine flu. Why were the earlier predictions so far out?

I’m no expert on this subject area, but I suspect that a major contributory factor was the natural tendency for people to exaggerate spectacular risks, especially those outside their control with a high media profile. We saw it ten years ago with the Y2K bug, which prompted dire forecasts from seasoned IT professionals and government officials. One leading US government authority described it as “the electronic equivalent of the El Niño”. But they were completely wrong.

The problem is that many people instinctively translate large vulnerabilities into inevitable disasters, generally overlooking the preventative and remedial measures that are already in place, or might be prompted by the publicity. High threat scenarios also bring out an evangelistic streak in even the most hard-nosed professionals. And this doomsday bandwagon is reinforced by political pressure to be overcautious in order to avoid any subsequent criticism for lack of preparation.

Of course there’s nothing wrong with a degree of prudent overreaction to a big-ticket risk, as long as it’s kept in context. Gambling a small amount of your budget on an outside possibility is fine, as long as you can afford to write off the loss. But business cases simply do not stack up for major expenditure on low probability scenarios. Earlier government pandemic forecasts suggested that a pandemic was likely in the next ten years, but the timing and size could not be predicted. There’s no way you can justify any major business change on such a vague assessment.

Nassim Nicholas Taleb, the author of The Black Swan, promotes the idea that we should devote a small amount of time and money on planning for spectacular, game-changing events such as 9/11 or the credit crunch. Such risks are not addressed by conventional processes such as risk management or business continuity planning, because they’re unthinkable and generally off the scale, though the implications can be explored through an imaginative crisis exercise.  

Even when an event is imminent and unavoidable it’s important to keep the damage in perspective. It’s not logical or sensible to plan on the basis that an event with a wide spectrum of potential impacts will create the maximum possible damage next time it hits. Now I'm not suggesting that we should ignore the worst case impact. We should of course take sensible steps to prepare ourselves as best as possible. Crisis exercises, for example, are a useful vehicle for creating awareness and better understanding the key implications, issues and requirements associated with a worst case scenario. But we should avoid mixing too much fantasy with reality, because worst case forecasts create panic, generate unnecessary expenditure and cry wolf.

Without doubt the hot issue over the next year is cloud computing. It’s a compelling and inevitable extension of the general trend towards virtualization created by networks. Cloud computing might mean different things to different people, but the key proposition is that you let go of the management of your infrastructure and applications in order to benefit from greater economies of scale and, hopefully, safety in numbers.

It all sounds promising. Why struggle to get your IT working efficiently on your own? The problem is not the logic but the fact that there is as much madness as wisdom in crowds. There are huge benefits as well as big risks in following herds. Today we hear all about the promised benefits from vendors. But we know little about the risks. That’s because we haven’t yet experienced them. Technologies always emerge well before we notice the problems they bring.

There are lessons for security professionals. The first is not to imagine that a technology is safe just because nobody has yet experienced a problem. The second and more important learning point is that security must change from its traditional focus on historical controls and theoretic future risks. The future is uncertain in terms of risks, incidents and impacts. We can’t predict it, nor can we assume that our traditional controls are adequate.

But, increasingly, the future lies more in the hands of people, which suggests that our security strategy should change. We would be far better, for example, spending more time trying to identify and compensate for the root causes of incidents - which are mainly human failings - rather than wasting time guessing the impact of theoretical future risks.   

This is no less than the ‘new security’ that we all need: an approach rooted in learning points rather than guesswork. Just imagine how much better our security would be if we’d addressed long standing weaknesses, such as weak passwords, rather than wasting time on risk assessments. But, unfortunately, that would be far too logical, and real life is not like that. Contemporary security practice is based on consultancy lines of business, vendor products, and public policy enshrined in tablets of stone. It’s time for a shake-up.

Cryptography is a booming academic research subject. It’s launched hundreds of security products. Some cryptographers have even become minor celebrities, especially the ones that put their names to famous algorithms. Yet despite decades of research work, product development and publicity, the implementation and management of cryptographic solutions in business remains thin on the ground and immature.

Strong encryption algorithms are fine in theory. But in practice they get undermined by weak password protection. Cryptographic key management is a problem that is yet to be adequately solved. Achieving a workable system across a virtual business environment requires unimpeachable trusted services, a leap ahead in security design ergonomics, and a collective, global change in business practice. In the absence of such a synchronized transformation, true end-to-end protection of information seems no more than a pipe dream.

Ten years ago we looked to PKI to resolve these problems. At least we had some hope. Today there’s no emerging silver bullet. Implementation of cryptographic products remains crude, tactical and inconsistent. Yet we now have an unprecedented business demand for pervasive data protection. This season’s wave of postal strikes will accelerate the move towards a paperless business environment. It’s a shame that we can’t respond to this challenge with an elegant, effective security solution.   

The recent Nimrod review set out some important learning points for the Ministry of Defence, as well as the broader safety community. One could argue that some of these points apply equally to the information security community.

In fact there’s nothing new. It was the same core issue of business goals overriding safety concerns that led to the Space Shuttle Challenger disaster. One could also point to the corresponding problem of financial constraints squeezing security countermeasures, especially where there is a clear moral hazard, i.e. when the impact affects someone other than the manager calling the shots.

Today, many security professionals tell me that the answer is better risk assessment. I disagree. The practice of risk analysis is one of the root causes of our failure to match security countermeasures to the emerging threats. It depends on too many unrealistic assumptions: the ability of managers to ignore bonus targets and take objective decisions; a thorough understanding of the problem space and impact of breaches; a capability to predict the short-term future; and the hard evidence needed to convert a recommended control into a financial business case. It's no surprise to find that in practice it becomes a license to selectively ignore a range of known problems.

The risk landscape has also changed substantially since the early years of IT, when financial impacts were the sole concern and the interests of citizens were not seriously damaged by computer intrusions and media losses. Data breaches now cause real harm to customers, and it’s not easy to put a price on that. You can in fact do it if you must. Many safety calculations for example include an estimated cost for a human life. But how much is a reasonable figure for the theft of a customer’s identity? 

We can learn much from the model of safety culture spelled out in the Nimrod review. As the report correctly points out, safety depends on leadership, culture and priorities. It is delivered by people, not paper, and it takes a whole community to ensure that we achieve it. Now that’s the real way to manage information security. 

For decades information security has been plagued by innovative attacks against unimaginative countermeasures. Where can we find the innovative security solutions needed to protect our increasingly intellectual assets from the growing wave of data breaches?

The track record is not good. Over the last three decades there have been no more than half a dozen real innovations in security countermeasures. The 80s gave us anti-virus technology. The 90s gave us BS7799, firewalls, SSL and intrusion detection. Most advances since then have been variants or new combinations of existing technologies.

And there’s been little or no discernible advance in risk management techniques or security governance principles over the past two decades. Indeed, Shell’s security management frameworks, certification processes, educational material and performance measurement techniques designed back in the mid 90s have yet to be bettered. 

So is there anything new out there? The answer is yes there is, but it’s not immediately obvious, generally tucked away in small enterprises or in the corners of research labs, rather than in mainstream products. We rarely get to catch a glimpse of these innovations, except in competitions such as the excellent Global Security Challenge (GSC), the annual finals of which took place earlier this month at London Business School.

The range of ideas and technical excellence shown by the GSC finalists were outstanding. Many were breakthrough, game-changing developments. They included both physical and cyber security technologies. Several caught my eye and impressed me. I’d even be tempted to buy them out, while they’re small, if I had enough money to burn.

The cyber security challenge was won by Ksplice, a new technology from MIT that enables Linux applications (and others where the source code is available) to be patched without re-booting. Clearly this is most useful for 24x7 servers, but it would be nice to see this capability in clients, routers and other platforms.

One of the cyber security challenge runners-up was a self-cleansing intrusion tolerance (SCIT) technology developed at George Mason University that reduces the exposure of platforms by rapidly rotating and cleansing a set of virtual servers. I’ve long argued that security should exploit ideas from nature, such as sex and death. This technology nicely illustrates the power of death in promoting longer term survivability.

The physical security finalists were even more imaginative. Auxetix demonstrated a counter-intuitive material that actually thickens when stretched, enabling it to be used for lightweight body armour that can withstand point-blank grenade attacks. Kromek, out of Durham University, won the SME category with a breakthrough scanning technology that can detect liquid explosives inside a suitcase. From Seattle came a breakthrough ‘brain fingerprinting’ technology that can detect whether a suspect recognises a known image, such as a photograph of a terrorist.

There were many other great ideas which demonstrate that security innovation is alive and well within universities and research labs. So why does it not always make it into products? The answer is very simple. It’s much easier, cheaper and faster to enhance and re-badge an old product rather than develop a new one.

The Global Security Challenge does an excellent job at highlighting breakthrough concepts in security. We could do with a lot more investment and support to help develop these ideas into everyday products.   

Last week I was lecturing at Royal Holloway University of London, as I’ve done for the past ten years or so. I’ve noticed a steady increase in sophistication in the audience over the years, and more recently an encouraging urge to challenge accepted wisdom. It’s a reassuring trend, as many of today’s practices today are questionable and future security requirements will demand a different set of skills from the ones we tend to find in security functions today. So what are these skills? And why aren’t we grooming our apprentices in them?

Let’s answer the latter question first. One reason is because security managers don’t seem to be very good at forecasting emerging trends. Two leading information security institutes, ISF and ISC2, have attempted to predict future skills from member surveys. Unfortunately, that’s not a reliable method of forecasting the future. The questions might not be the right ones (you don't know at the outset) and many of the members polled will not have the insight or time to make a realistic forecast. This is why these forecasts look more like a blueprint from ten years ago for the in-house function of a major bank.

Any kind of future planning requires three things. Firstly a selected group of subject matter experts and researchers that collectively possess knowledge of emerging trends in security, technology, politics, business, legislation, economics and social science. Secondly an environment in which they can pool knowledge and explore interactions between emerging trends. And thirdly a process in which they can ‘wire together’ a realistic road map of events, developments and impacts. There are existing methodologies for this, such as Technology Road Mapping, a process I’ve used many time with reasonable success. 

In the absence of a proper planning exercise, I shall have a go at using my own intuition to forecast some emerging core competences that we will need for the longer term. Some things seem very clear about the long term future. Firstly most infrastructure and applications will be in the cloud rather than in-house, requiring more user education and less operational security. Secondly, risks will get bigger, more sophisticated and more damaging. Thirdly, regulatory compliance will get tougher and the penalties for failures more severe. And fourthly, social networks will be the primary means of communicating with company staff.

Thinking on these points, here are my seven top skills for the future security professional.

1. An understanding of psychology to plan interventions that can might actually have an impact on the behaviour of staff

2. Social networking skills to influence and harness the support of large numbers of users and customers over social network

3. Skills in marketing communications to design compelling, effective awareness campaigns and materials

4. Strong commercial management skills to specify and manage security across business partnerships and outsourced supply chains

5. Sophisticated crisis management skills to safeguard the organisation’s intellectual assets (not just the data) in the likely event of a major security breach

6. Digital forensic skills to detect and prove when an intruder has infiltrated or modified the organisation’s intellectual assets

7. A sound knowledge of legal and regulatory requirements and issues 

In addition, a thick skin to take the flak from our increasingly brutal management teams might also be a useful survival skill. Further suggestions are of course highly welcome.

The end of the first decade of the 21st Century marks a turning point in information security, when major changes will be needed in perspective and practice. Here are my top ten forecasts for the coming decade.

1. Security demands new knowledge and skills

I’ve been pointing out for some time that we have the wrong skills for the future. The adoption of cloud services and the growth in social networks means that security management is less about specifying and managing technology, and more about persuading large numbers of people to do things they’re not inclined to do. This means drawing on fields such as psychology, marketing and education, and sharpening up skills in diplomacy, negotiation and crisis management. 

2.  Data integrity becomes a top priority for CIOs.

Data integrity is the final frontier for information security: one that has been widely ignored for decades by both attackers and defenders. Yet the impact of unauthorised changes to data can be deadly. Data quality standards are unacceptable in most organisations. Sooner or later, citizens and regulators will discover this and demand action.   

3. Cyber terrorism strikes

Critical national infrastructure has had an easy ride over the past two decades as governments have been reluctant to raise the bar to the level that’s really needed to prevent or deter cyber attacks by terrorists. All it takes is one terrorist incident to change that. Such an event is inevitable in the coming years.

4. Spies become unfashionable

In a transparent world of pervasive communications, security will become harder and privacy more valued. Surveillance systems will deliver a richer output on ordinary people than on terrorists and criminals, resulting in a growing citizen backlash. Forget the glamour of 'Spooks' as glamorous spies slowly morph into unwanted snoops.    

5. Information warfare begins to mature

Cyber warfare has yet to evolve into anything resembling a basic level of maturity. It has yet to acquire the necessary skills or escape from the unsuitable context of traditional military doctrine. This will change markedly over the next with the growing appreciation that information warfare is more the art of illusion than the science of sabotage. 

6. Supply chains dominate the problem space

We don’t do enough to monitor the security of technology suppliers and subcontractors. They represent the soft underbelly of government and industry. Awareness of the problem is growing, though the solution space is thin. Security managers will be compelled to bite the bullet as regulators tighten their demands.

7. Cloud services set new security standards

The current advice from lawyers and security consultants is that cloud services must be thoroughly audited by prospective purchases. This is not viable for standardised services that rely on economies of scale. The sensible solution is for service providers to demonstrate high standards of security. The ones that get this right will dominate the longer-term market. 

8. Virtualisation inspires new security solutions

Cloud services might present new security risks, but virtualisation technology also offers tremendous potential for new security solutions, enabling users to rapidly switch user profiles and client platforms. This will trigger a new wave of imaginative new security technologies. 

9. Email must change or die

Vendors have failed to deliver a consistent solution for authenticating and encrypting messages to and from third parties. With dozens of competing, incompatible solutions, third party email security is a mess. It must change or die. Either it way it demands the establishment of a trusted third party to administer the encryption keys.  

10. A new trusted third party must emerge

Responding to the need for secure communications between parties requires the establishment of a trusted third party. The rush to dominate this solution space at the turn of the century has now subsided into a crawl, just when we all need it. It’s time to start this ball rolling again.   

I’ve been lobbying for some time for more attention to the need to persuade SMEs to address security. It’s a subject that’s been ignored or taken for granted for far too long. Without sensible interventions, SMEs will not implement security. It’s a ‘grudge purchase’, and they don’t have the knowledge, time or money to go about it. Action is needed to improve awareness, incentives and support.  

Fortunately, the Information Commissioner’s Office has recently sponsored research in this area. The results will not be published until after the election, but the initiative has already begun to stimulate some long overdue activity in this area. The subject has been included in recent meetings of the ISSA-UK and SASIG. The ISSA-UK has also formed a dedicated task force, the ISSA 5173 group, to address the challenges. It met for the first time last week in London and identified three streams of work: to look at networks; standards; and incentives and psychology.  

In my view, current security standards are not appropriate for SMEs, though there are some interesting efforts being made to sell or adapt ISO 27000 standards. (Phil Stewart of Excelgate has an interesting blog posting on this.)

This is a global issue. I’ve also picked up indications of strong interest in the USA and Far East. Next week I’ll be conducting opening keynotes at conferences in Hong Kong and Singapore, so will be looking to collect views on how this issue should be tackled.  I’ve said before that 2010 will be the year that enterprises sort out their supply chains. Compelling SMEs to implement security is at the heart of that problem.