Craig Spiezle, executive director & president of Online Trust Alliance (OTA)
Randy Sanovic, owner of RNS Consulting; former general director, information security of General Motors
Rich Mogull, founder of Securosis
Gerhard Eschelbeck, CTO & SVP at Sophos
Daniel Kennedy, research director, TheInfoPro, a division of The 451 GroupQ
What threat vectors will be most prominent? Why?

Sanovic: My first worry would be malicious hackers and bots. The environments that concern me most are mobile computing and social technology. For example, to somewhat secure Facebook could require at least 105 clicks, and most people, including the more technical-oriented, will not get it done. Because of the pervasiveness of mobile computing, and the fact that technological advances continue to outpace reasonable and prudent security fixes, I feel we will not be able to get “user friendly/capable” security solutions implemented in a timely fashion.
Mogull: What's prominent in terms of attacks? The same stuff as today: email and web phishing/social engineering. In the press releases? Whatever the vendors want to sell that you probably don't need: a lot of mobile device and cloud hype. I expect a lot of iOS headlines this year, and a lot of Mac hype. Not that Macs are immune, but the hype will far outweigh the number of people being compromised. And, while cloud security is important, most of what you'll see is “cloudwashing” of traditional security stuff. People will really have to keep hunting for the innovation (which is there, just not from your usual vendors).

Kennedy: Enterprises are concerned about trends associated with IT consumerization – personnel bringing in their own devices – and how to handle that in all of its manifestations (smartphones, laptops, etc.) while still protecting custodial and intellectual property data.
What security solutions/services will see increased adoption? Why?
Spiezle: Email authentication and hard blocking will gain, as will walled garden/blocking of unprotected PCs.
Sanovic: I think cloud security services will be more in demand, and that will help determine the extent of security technologies applied. The main issue will be cost, and how onerous the computing overhead of such technologies will be.

Eschelbeck: The rapid inflow of consumer-owned smartphones and devices is causing significant security challenges for many organizations. IT departments are being asked to connect devices to corporate networks and to secure data on these devices, over which they have very little control.
Due to the high degree of mobility, security requirements are plentiful, including enforcement of use policies, corporate data encryption, secure access to corporate networks, productivity/content filtering, and, of course, malware protection. Mobile security and management solutions will likely see significant adoption in 2012. The global nature of these mobile security challenges makes them prime candidates for solutions delivered as services in the cloud.
Kennedy: Both flavors of data leakage prevention (DLP), endpoint and network, top the in-plan implementations we see in our user-based research for 2012. Application-aware, or next-generation, firewalls are a close third.
Which will see declining adoption rates? Why?

Mogull: Nothing. We're too scared to drop even worthless products.
Eschelbeck: In 2012, we will continue to see the evolution from traditional Windows-based endpoints to a new generation of form factors, including very lightweight endpoints and tablets. While some development will be incremental, part of this will also come at the cost of traditional desktops, notebooks and laptops. Security technology will follow the same paths, and traditional endpoint security mechanisms will reach their physical limits on these new platforms. The unique nature of these modern form factors requires rethinking of security and defense mechanisms, whereby cloud-based delivery models will play an important role.
Which security lesson will organizations be forced to learn this year? Why?
Spiezle: I see more focus on looking at security and privacy by design in a concerted effort, with a mindset of completing a security impact statement for every business process. Further, data minimization efforts will increase, and data incidents will be required to be reported by the U.S. Securities and Exchange Commission and the Sarbanes–Oxley Act, increasing C-level accountability.
Sanovic: Organizations will be forced to concern themselves with true data protection mechanisms/technologies versus the more current focus on application protection measures/technologies.
Eschelbeck: Security really is about more than Microsoft. While a majority shareholder in the volume of malicious code out there, the PC is not alone anymore, as demonstrated by some of the effective fake anti-virus programs for the Mac. Mobile devices will also fall into this category as we experience a new set of operating systems with different security models and attack vectors.

What will be the most surprising security-related development?
Sanovic: The focus on mobile security will force and drive security solutions in the mobile and social media arenas.
Mogull: If I told you it wouldn't be a surprise. It would also be wrong, so I try not to predict the unpredictable.
Eschelbeck: We are currently seeing daily news of security incidents and exposure of corporate data, whereby the even-more-troublesome security issues could be in critical infrastructure systems. This could easily create alarming surprises in the coming year. We saw attacks on the critical network infrastructure, as well as control systems, but there are many other types of systems, including aviation networks, which could come under focus of cybercriminals. We also continue to integrate and connect technology more and more into our lives – for example, smart grid infrastructure – and such systems could yield attacks that have a new “personal” impact on us.