If the focus of a year could be summed up in one word, the word I would choose for 2009 is risk. Ignorance of true risk, mismanagement of known risk, and misunderstanding of potential risk precipitated the collapse of our global economic system. The bad news is that it took a crisis of such great magnitude to draw world attention to the need for effective risk management.
This newfound awareness is good news for those of us in information security leadership. A recent study conducted by Price Waterhouse Coopers on information security in 2010 revealed that the role of information security within organisations has increased significantly and is now widely recognised within executive ranks as strategic to organisational health and success. Its about time.
Renewed attention to and focus on risk is often the impetus for significant growth in our industry. In year 2000, at the height of the dot-com bubble, denial of service attacks on and defacements of websites ushered in renewed growth in anti-virus and intrusion detection products to fortify vulnerable perimeters.
In the period between 2003 and 2005, our attention was drawn to the vulnerability of information itself with the advent of phishing and pharming attacks. This awareness spurred development of information-centric security solutions such as data loss prevention, desktop file encryption, security and information event management and risk-based authentication.
What to expect in 2010
What do we see for 2010? In terms of vulnerability, we see coordinated attacks on the rise. These combined attacks often rely on Trojans to harvest Personally Identifiable Information (PII) and credit card data. That data is then exploited by people and/or social engineering tactics to steal assets. And those assets are eventually delivered to established drop zones for profit sharing.
Royal Bank of Scotland is one high-profile example of a remarkably coordinated attack that combined stolen account numbers with a network of cashers scattered around the world who, in the span of 12 hours, drained close to $10 million dollars from more than 2,000 ATM accounts.
Not only are the threats increasing in level of sophistication, but the degree to which malware and Trojans have permeated small businesses has reached pandemic proportions. And large enterprises are not immune. RSAs anti-fraud command centre in Israel reports that not only are the number of Trojans doubling every quarter but in a single month, 60 per cent of the Fortune 500 companies were determined to be contaminated with Trojans from infected employee laptops.
To address this pandemic, I believe another transformation is coming. Security-as-a-service and Safety in the Cloud will become central themes in 2010. Not just for large enterprises but for small merchants as well. With regard to smaller organisations, we will need to finally face the fact that these operations are ill-equipped to understand, let alone stand up to, the security required to defend against todays attacks. We need to offer security services that are cost-effective, convenient and transparent.
Sign up for CIO Asia eNewsletters.