A number of experts share their (sometimes droll) thoughts on the past and future of the IT industry, reports Angela Moscaritolo.
How do you see the IT security industry evolving over the next 20 years?
Roy Tuvey, president, ScanSafe
(left) As with anything, when asked to predict the future, people tend to think radically rather than incrementally. We will continue to see a move toward a decentralized client computing environment, with company desktops being a thing of the past. Accordingly, the network security perimeter will continue to be increasingly elastic with security companies having to adapt their wares to protect disparate laptops, as well as rapidly growing communication channels.
At the backbone of all this will be the web, as more and more services are pushed to the cloud. Securing this additional volume and different types of information will challenge the information security industry, creating opportunity as well as pain points. This will undoubtedly result in the creation of many new companies as the next “killer apps” start to become apparent.
Robert Holleyman, CEO and president, Business Software Alliance
Security will be an even more critical component of the IT experience. This will generate further innovations and breakthroughs. It will increase confidence levels. It will enable more carefully controlled exchanges of data, at all levels of sensitivity, within organizations and in consumer commerce. Many new market opportunities will be created within the security industry via direct channels and partnerships.
Jim Preasmeyer (right), director of sales and business development, Fujitsu Frontech North America
We have to stay one step ahead of those with evil intent and be smarter about how we protect our increasingly sensitive data. I see biometrics playing a huge part in protecting data moving forward. We have all seen the sci-fi movies predicting a world in the future where waving a body part to get into buildings or to gain access to computer systems is the norm. That day is coming quicker than people realize, in part because of the evolution of viruses being created. It is becoming more and more imperative to go to these extremes in order to protect our precious data. The world is rapidly increasing the amount of data stored electronically every day.
Jody Brazil, president and CTO, Secure Passage
The third-party security solutions marketplace will continue to thrive despite continued pressure on applications and network vendors to deliver secure solutions. IT security operations will become the responsibility of operational teams and individual team members with specific functional responsibilities – such as network, remote access and systems management – will specialize in providing security for their respective functions. Additionally, the corporate IT security group will more clearly shift from an operations to an audit capacity.
Craig Lucca (left), manager, security administration and management, Bloomberg
I guess if you believe the Mayans, it’s irrelevant as the world will end in 2012. I suspect being an information security professional will become more complicated. This opinion is based on increasing complexities regarding regulations and legal requirements pertaining to safeguarding data. I believe it will be further complicated by a workforce which is becoming more and more open to sharing sensitive, as well as personal data. Just look at how workforce members use Facebook, MySpace and Twitter to share information. Yes, assuming the Mayans are wrong, being a security professional in 2029 will not be any easier than it is today.
Chenxi Wang, principal analyst, security and risk management, Forrester Research
I see cloud computing significantly changing the security industry. The IT security professional’s role will migrate from day-to-day operations to more of a compliance control role.
Avivah Litan, vice president and distinguished analyst, Gartner
Security will be baked into apps and won’t be an afterthought or an add-on.
Taher Elgamal (left), CSO, Axway
Many of the successful security technologies will get consolidated and integrated into the mainstream industry. Platforms and application vendors will integrate many security measures into their products, while smaller, newer companies will emerge to solve new problems and combat new threats.
Aaron Higbee, CTO, Intrepidus Group
Twenty years from now? If robots have taken over the human race, there will be no need for a security “industry.” But if humans are still involved with technology, the security industry will have fancier tradeshows and even fancier buzzwords to confuse people.
Jim McKenna, IT director, Iroquois Memorial Hospital & Resident Home
Web-based business computing is, in my opinion, still in its infancy. That means we will be doing more with less on the user side, and that means more streamlined security solutions will be in play. Health care and the development of the nationwide electronic medical record is going to be the catalyst for change in security systems. We will see protocols developed to transfer vital data from secure archives anywhere it is needed – from the largest medical centers to small rural providers like mine. Security is going to move from a business-centric model to a global standard. For individual users, I forsee physical security methods – like voice, fingerprint and retina scanning – to move to the forefront over time.
Amit Yoran (left), chairman and CEO, NetWitness
A larger gap will exist between our dependence on technology and our inability to protect it than at any point in history. As technology increasingly accents high performance organizations, this dependence will accelerate. This will evolve in increased complexity and interconnectivity of technologies, making them hopelessly abstracted from user understanding. The size of the resulting attack surface of user, applications, data, networks, mobility, code and supply chain of hardware, software and services will make the job of attempting to defend IT systems completely impossible. And our ability to disconnect will be reduced to zero.
Who has made the biggest impact on the information security industry and why?
I would nominate Michael Howard from Microsoft for his tireless effort to evangelize software security. The Microsoft secure coding practice is now a well know industry practice.
Avivah Litan (right)
Al Gore, because he invented the internet and set the stage for a rampant increase in the velocity and effectiveness of criminal attacks.
Without a doubt, cybercriminals and hackers have made the biggest impact in the industry. These individuals and groups always show creativity and resourcefulness in how they develop their tools to attack their victims. This has maintained an ever-moving target that security vendors have to stay ahead of in order to maintain the security of their customers. Cybercriminals have already highlighted significant weaknesses in traditional security technologies, such as anti-virus and URL filtering. This has forced the development of the more complex, dynamic security systems required in order to try and maintain security status quo.
Mikko Hypponen (left), chief research officer, F-Secure
Unfortunately, the biggest impact has not been made by the good guys, but by the bad guys. I would nominate the unknown authors of the Code Red, Slammer and Blaster worms. From 2001-2003, these worms demonstrated, in a painfully effective manner, how internet connectivity had made all of us victims to global outbreaks. Largely thanks to the huge problems caused by the worms, the security industry and operating systems manufacturers stepped up their game. As a result, we have much better built-in security in today’s systems.
Brian Chess, co-founder and chief scientist, Fortify Software
Bill Gates reinvented IT security twice. The first time around, he made bad software (Win95) and created an incredible need for reactive aftermarket security add-ons: firewalls and anti-virus. Then, in 2002, his Trustworthy Computing Memo to all Microsoft employees changed Microsoft’s course. He said “So now, when we face a choice between adding features and resolving security issues, we need to choose security.” Microsoft has proven that software security assurance is critical to business success and that sustained improvement is possible.
Santhosh Cheeniyil (left), co-founder and VP of engineering, Avenda Systems
Vendors in virtualization technologies and cloud-based computing have made the biggest impact on the information security industry recently. Physical security, that is, physical access to network and computing devices, can no longer be taken for granted. Virtual machines can be moved across physical boundaries. This has resulted in information security experts having to rethink their strategy of dealing with data center security. It remains an unsolved problem.
Niall Browne, CISO & VP, information security, LiveOps
The Attacker. A new attack or vulnerability can have the entire security industry worldwide scrambling to just keep up. No other entity has the ability to mobilize so many and so quickly (albeit against their will).
Nir Zuk (right), founder and CTO, Palo Alto Networks
The biggest impact on the information security industry was probably made by the Russians and Chinese who came and are still coming up with ingenious ways to steal data and by creating and expanding the sector.
What are the major vulnerabilities or threats that you think industry players will worry about over the next 20 years?
David Goldschlag, CTO, Trust Digital
IT security initially focused on protecting computing systems, in particular against viruses and other malware. Today, the major focus is data protection, including the security of stored information and the control of information flows through data leakage protection. In the future, security is likely to move further up the stack, including application security and risk mitigation through data mining. In addition to protecting against malware, we need increasingly effective ways to ensure that flaws in applications are detected and remediated, and that applications and services themselves do not create opportunities for fraud.
Looking at the next two decades, the real question is how much worse can the web malware problem get before it threatens the viability of the web as a whole. The web and, in particular, social networking, has eroded the last remaining vestige of perimeter security. Threats will continue to evade the technologies most popular with users in an effort to steal or hijack digital assets. Those technologies that are most widely adopted in the future will also be the technologies most subject to vulnerability exploits. Today, the target is Adobe Reader and Acrobat because PDF is ubiquitous on the web. The target(s) over the next 20 years will continue to follow the weakest link that offers the widest coverage. One thing that is for sure is that malware will continue to be for criminal profit.
Anton Zajac (left), CEO, ESET
The current challenges are big enough. Deeper penetration of IT into everyday life and its affordability will pose a new challenge: how to protect ignorant and irresponsible users.
Technology gets better, but people evolve slowly. In 2029, we will still be worrying about social engineering and warning people about spoofing and phishing.
Signature based anti-malware products will go the route of dinosaurs. How we tackle zero-day attacks by insiders, outsiders and possibly extra-terrestrials will be a worry in the foreseeable future.
Doug Ross, VP/CTO, Western & Southern Financial Group
We live in a dangerous world and have already seen information warfare waged in Eastern Europe. Well-funded entities, such as nation-state actors, will increase their competencies in both offensive and defensive information warfare. Their efforts could be geared toward theft (financial, intellectual property) or sabotage. And insiders will continue to be a significant challenge. I think that because of cloud computing and the insider threat, the notion of an internal network protected by perimeter security may find itself challenged with dramatically new models.
Chenxi Wang (right)
What threats and vulnerabilities will we be concerned with over the next 20 years? That’s a long time. The security game should change by then. But in the foreseeable future I think the biggest threat is still in data protection (how to protect against malicious theft of valuable data).
Beyond that, I think the usage of information will change such that less value is placed on the physical data, more on how the data is used and interacted with application and users.
What this means is that information/data theft will be significantly more difficult – a piece of physical data will be useless unless you penetrate the way it is being used.
Nuclear war and global climate change will be major factors. Security technology can certainly play a role in the former. When it comes to climate change, stronger security will be required to protect the artificially controlled environments that only the wealthy will be able to afford to live in.
Jody Brazil (left)
Targeted attacks designed for personal, monetary and political gain will increase for the next 20 years. Attacks designed by “kids” to prove “it could be done” will be replaced more and more by attacks designed by organized criminals, politically motivated terrorists and highly skilled hackers. Cloud and SaaS application vulnerabilities will be a serious issue as an attack on a cloud application could compromise thousands of companies.
The cynical answer: Whatever our legislators have mandated into a regulatory compliance. That’s where the money is.
Paul Wood, MessageLabs intelligence senior analyst, Symantec Hosted Services
The adoption of converged mobile technology has been one of the fastest technology growth areas in recent years, and I expect that over the next 20 years, as costs come down and very high speed connections become readily available through advanced wireless communications, the mobile environment will become the main vector of attack. Currently, businesses may be the large, lumbering, lucrative targets in the online cybercriminal world, and in the future it will be each and every connected individual as we will all be connected.
In your opinion, what was one of the most impactful happenings or developments in information security?
The development of pattern detection and predictive modeling technologies. We can’t stop many of the attacks but we are getting smarter in identifying and blocking them through these technologies.
Gunter Ollmann (right), VP of research, Damballa
The growing pervasiveness of regulatory compliance on the way in which organizations now have to evaluate the security of digital information within their business has had the most significant impact on businesses to date. While the requirements for public disclosure of corporate breaches have been a very visible consequence of the increasingly well-defined regulations and policies, the internal effect of these regulations has been the rallying both security technologies and the teams responsible for managing them, and a new level of threat awareness throughout an organization. As a consequence, almost every level of an organization better understands their responsibilities and obligations in protecting digital systems, and the implication of failure. That said, as witnessed in many of the largest data breaches disclosed thus far, there is still a substantial gap between meeting the bare minimum regulatory requirements and actually protecting systems in a meaningful way against professional cybercriminals.
Ravi Sandhu (left), executive director of the Institute for Cyber Security at the University of Texas at San Antonio
Two things actually: the emergence of a highly innovative and deeply organized criminal underground economy in cyberspace, and the botnet as a facilitator of lucrative attacks. Regrettably, this scores as Attackers: 2, Defenders: 0.
Michael Murdoch, president and CEO, AppRiver
Continual advancements in cloud technologies highlight the rapid pace of innovation and increasing demand for cloud services. Cloud ideologies and practices are a few of the more impactful developments in information security.
The thought leaders in security have come to realize that even strong defenses are penetrable. They understand that in spite of the millions of dollars spent and their best efforts, that enterprises are already compromised and will continue to be compromised for the foreseeable future and that all of the vendor and marketing claims and promises are not about to change that very cold and stark reality. If anything, the increasing complexity of technology has increased the ease with which easy-to-use advanced threats can impact enterprise business environments with little care for their state of compliance with meaningless regulatory mandates. While expecting perfect protection is a failed strategy, many on the leading edge are learning to operate in environments they suspect of being partially compromised and increasingly focus their efforts on the ability to understand incident scope, impact and validate cleanup.
Robert Holleyman (left)
BSA was on the front line in the 1990s in the battle against attempts by the U.S. government to restrict the use of encryption (by controlling exports and mandating use of government-provided encryption). Our industry’s victory in these “encryption wars” demonstrated that technology development is a global phenomenon that governments cannot prevent, control or regulate, but instead can influence by partnering with the private sector. Allowing stronger encryption has advanced greater computer security, promoted consumer confidence and expanded online commerce.
Over the past 20 years, the adoption of email via the internet as a mainstream communications medium has had the greatest impact. Before then, malware would spread slowly in a matter of weeks and months via infected floppy disks and then later via infected CD-ROMs.
The wide-scale adoption of the web is, without a doubt, the single most impactful development in information security, as well as the technology industry as a whole. The ability to reach anywhere on the internet from anywhere in the world turned information security from a layered architecture, involving both physical and digital security, to one that was entirely digital. Hackers didn’t have to gain physical access to premises in order to steal or corrupt data.
The adoption of using the web was a driving force that created not only huge business benefits in terms of how and where people work, but also created a mass of targets – individuals and businesses – that could be exploited for financial gain.