Security researcher Dan Kaminsky once said, “Being wrong just means the world is a more interesting place than you thought it was.” Looking back at 2010, I think some of us had a more interesting year than others. In fact, if you look back at some of the predictions from a mere 12 months ago, you have to wonder if anything has really changed. There are new threat vectors, but the same old security problems still exist.
So what received the most attention over the past 12 months? The “Operation Aurora” event, where Google and a couple dozen other high-profile companies were allegedly compromised, was the first big news of the year.
The Stuxnet virus discovered in July caused those of us in the critical infrastructure protection arena a lot of sleepless nights since this was the first piece of malware that specifically targeted industrial control systems. It apparently gave Iran's nuclear program a serious headache!
The last big news of the year was, of course, the WikiLeaks disclosure of thousands of pieces of classified government communications. Interestingly, this is one of the data breaches that a standard dose of personnel security policy and available technology could have probably prevented. Some of the companies here tonight can fix this one.
So yes, we had our share of what had to feel like black swan events, but were they really abnormal? Looking back over the past few years, I think the answer is “no.” The good news continues to be the high quality of professional people and companies that realize the problems can't be fixed by watching the parade from the grandstand.
In the security business, urgency can sometimes be a distraction, and persistence is typically the more valuable trait. The companies and security professionals being recognized tonight deserve congratulations for their perseverance, and we thank them for everything they do.
– Mark Weatherford is VP/CSO at the North American Electric Reliability Corp. (NERC)