Although predictions for the coming year are a staple of the season, I will do more than offer an educated guess. I am going on the record with a guarantee: In 2012 we will see an increase in network intrusions from disparate parties trying to create IT infrastructure chaos for a variety of reasons primarily political, financial and economic. An easy prediction perhaps given the trend and yet while I fully trust CSOs and CISOs and security teams are doing all they can to prevent breaches; I am deeply concerned that they still lack the technology to adequately protect IT infrastructure from malicious attacks.
There are several reasons for this state of unpreparedness. Budget constraints certainly continue to be an issue even as the U.S. economy plods along in recovery mode. However, the more disconcerting limiting factor is beyond the direct control of infosec executives:the scarcity of innovation in the information security industry.
Too few entrepreneurs are bringing to market new technologies that are the core building blocks for information security. While I wouldn't go so far as the say enterprises are bringing a knife to a gun fight, there is no doubt that the industry is not keeping pace with the technology or the ability of attackers. The resulting disparity between available options and the growing challenges faced is what I call the innovation void.
Four factors created the innovation void: Cuts, constraints, consolidation and capital:
Cuts: IT spending cuts during the Great Recession were deep and have yet to recover. US Software CAPEX growth was just 7 percent as of Q2 2011, exactly where it was 20 years ago. Spending is off the lows of 2008 and 2009 but show only modest gains -- especially given those lows, is 7 percent growth really all that impressive? Many software vendors have been unable or unwilling to invest in R&D in this climate. The downstream effect is a dearth of truly new technologies. I suspect this will change as the domestic and worldwide economies -- which are now clearly and highly-correlated -- improve. In the meantime, enterprise customers can anticipate only minor improvements to infosec solutions.
Constraints:The challenge of spending cuts not only affects companies that sell information security software. The innovation void leaves CISOs, CSOs and their teams navigating increasingly complex and treacherous environments. The explosive increase in the use of employee-owned consumer technologies within the workplace -- especially mobile technology, e.g., smartphones, iPhone, iPad, iWhatever -- means information security professionals have to protect a broader plane of vulnerability, and do so with fewer resources.
Consolidation:Acquisitions of independent information security technology vendors by multinational information technology conglomerates often dilutes focus, changes business priorities and slows operational tempo of the acquired companies.
Capital:The final factor contributing to the innovation void is a lack of capital investment. According to The Moneytree Report by PwC and NVCA based on data from Thomson Reuters, venture capital investment in IT security in 2010 was just $400M, up a tick from 2009 but the second lowest year since 1998. Absent adequate funding, research and development cannot happen and we run the risk of critical technology inventions never seeing the light of day. Venture capitalists seem more interested in the latest social media start-up than the IT security market. Ironically, popular social media platforms such as Twitter and Facebook are increasingly popular targets for black-hat hackers, exponentially increasing the need for information security innovators.
So how do we manage this situation and turn a possible crisis into an opportunity? The good news is that the innovation void is a very solvable problem. The solution begins by changing conventional approaches to vendor/customer relationships. Developing a real partnership in which both parties have a stake in mutual success is a critical first step. Information security professionals will have to think and act strategically, not just tactically. There are tremendous opportunities for vendors, startups and end users to thrive in this new environment.
So how do you do it?
Some of the ways you can embrace the new reality include:
Sign up for CIO Asia eNewsletters.