It’s always wonderful to start a new year. A new year brings a fresh perspective and renewed enthusiasm. So what do I think twenty-fifteen will bring us?
More breaches! No organisation’s security is perfect, security breaches, data theft and public data disclosure will continue. Generally, in the private sector you just have to “target harden” enough until security becomes a competitive advantage instead a liability to your executive’s tenure.
More badly written regulation. Unfortunately many regulators write security and privacy regulations and legislation with no alignment to the ISO 27K series of standards, the bible for information security and the basis for many Information Security Management Systems. For goodness sake regulators, please consult Wikipedia before you pick up your pens, or engage professionals! At least you could include mapping to the relevant ISO standard, and align the standard statements in them to your standard statements. Help us ease the compliance burden if you must re-write the bible! If you feel the need to elaborate on them, participate in the standards committees!
DevSecOps. The cloud enabled approach of version controlling your infrastructure deployments via automation scripts will continue. Securely configured Amazon Machine Images (AMIs) are now available and organisations will more widely start to deploy file system permissions and application software secure configurations along with binaries and compiled code as part of automated deployments.
Agile Security. Security governance, architecture and testing need to revisit their core functions and re-invent themselves to enable agile development rather than hinder it. This may mean firewall rule requirements gathering as part of design for epics, abuse cases written up as part of user stories, static analysis as part of development frameworks, developer initiated dynamic analysis, dedicated security testing and code review resources for core enterprise applications etc.
Mergers and Acquisitions in product land. As anti-malware becomes less effective, I suspect we will see “the 200 pound gorillas” acquire smaller more agile security companies with more advanced malware protection technologies. I would not be surprised if we saw main stream web content management systems enabled with technologies that detect malware command and control communications, or email content systems that dynamically quarantine files with suspected malicious content identified on a site via sandbox based analysis—rather than by MD5 hash designated as malicious by an overworked analyst in a data entry environment after someone submits a malware sample.
As always your comments are welcome below and please consider following me on twitter for more irreverent commentary!