Here’s what already is fairly obvious: The turn of the calendar to 2009 promises further sophistication from organized cybercriminals, forcing the private and public sector to act swiftly and decisively if they want to steer clear of potentially devastating data breaches.

Meanwhile, maturing – and some new – government and industry mandates will require firms globally to implement enhanced technologies and policies to stay in compliance.

So…judging from the threats and the rules, organizations should be better prepared than ever to tackle the emerging attack landscape, right? Not so fast.

Remember, 2009 comes saddled with an imposing and unmistakable caveat: a plummeting economy that many fiscal experts suggest is going to get a whole lot worse before it gets even a little better. Combine that with a new presidential administration, and predicting what the last year of the 00s holds in store from an IT security perspective could be like forecasting that the Tampa Rays were going to make the World Series this year.
So we figured our best chance at insightful prognostication would lie with some of the illustrious experts speaking at the inaugural SC Magazine World Congress, to be held Dec. 9 and 10 in New York.

Building threats
An increasing prevalence of botnet-infected machines – some estimates place the number easily in the millions – are unable to be detected by anti-virus solutions, says Jennifer Bayuk, an independent security consultant. Zombie computers are permitting organized crooks to systematically target the employees and clients of businesses across the country and across the world.

She says many companies, especially the smaller ones, are overwhelmed. “There is absolutely no way to anticipate all the malware that is on a machine such that you can respond to it in any organized way,” Bayuk says.

Mark Lobel, a principal in the advisory practice at PricewaterhouseCoopers, says “leadership and a plan” are the two most reliable ways to stave off targeted and aggressive attacks by digital criminals.

But because of the faltering economy and a lack of stringent auditing, some organizations – especially the less tightly regulated ones – are finding reasons to put compliance on the backburner, which will limit their ability to keep up with emerging threats, Bayuk says.

“The risk of noncompliance is outweighing the cost of implementing security measures,” she says. “People are going to have a lot of internal justification of why they’re not going to comply.”

As an example, the Federal Trade Commission recently announced that it was extending the enforcement of the identity-theft prevention “Red Flags Rules” to May 1, 2009 to give financial institutions and creditors more time to establish an identity theft prevention program.

 “I think the FTC just proved that if nobody complies, nobody has to,” Bayuk says, adding that enforcement of all compliance mandates by auditing bodies must improve.

Economic woes
The dismal economy is not helping matters.

Joyce Brocaglia, president and CEO of Flemington, N.J.-based executive recruitment firm Alta Associates, says security professionals looking for a new position can expect slim pickings, at least for the start of 2009.

“Clearly company reactions to the downturn in the economy have been, in many cases, to put freezes on hiring,” she says. “And I expect that to continue for the next couple of months.”

But Brocaglia says that while businesses are admittedly doing “more with less,” a number of security-related posts remain in high demand, particularly in governance, risk and compliance (GRC) as regulations increase in light of the recent financial services meltdown.

“Good people are always hard to find,” she says. “They’ll be more selective, but there are a lot of huge initiatives. I think people need to concentrate on defining their differentials in a market like this. They really need to refine their resume and utilize their network [of contacts].”

Cooperation and laws
There is some reason for optimism in 2009, especially on the international front, several SC World Congress speakers say.

Jody Westby, CEO of Global Cyber Risk, a Washington, D.C.-based advisory firm, says she expects increased global coordination to deter problems, such as cross-border cyberattacks – similar to what occurred in Estonia after the government there removed a Russian World War II monument.

Information sharing and resolving jurisdictional and extradition issues are keys to stopping cybercrime. “When you have countries that don’t cooperate, the trail goes cold,” she says.

Lobel says he foresees significant security improvements made in outsource regions such as South America and India, where work is often completed so companies in America can cut costs and improve efficiency.

“If people are going to outsource and offshore, the need for security controls becomes more and more,” he says.
Meanwhile, multi-national firms will have to pay more attention to guidelines such as the Payment Card Industry Data Security Standard (PCI DSS), Lobel says. Enforcement is beginning to take shape in Europe and Asia, and merchants there will be expected to comply with the 12-step standard.

“You’re now seeing enforcement globally,” he says. “Companies are hearing from card processors now and they’re being asked to clean things up.”

Back at home, 2009 could bring significant security spending at the federal level for various projects, including public-private partnerships, Westby says, adding that 85 percent of the nation’s critical infrastructure is owned by the private sector.

She also says she hopes strides are made toward the establishment of a military-like branch responsible for responding to and defending against cyberattacks.

“[The U.S. government] can no longer treat it as footnotes and PowerPoint slides,” Westby says. “There has to be a defensive capability.”

On a state level, Lobel says more granular data protection laws – similar to ones recently passed in Massachusetts and Nevada – could be adopted. Already, more than 40 states have enacted legislation requiring victims of data breaches to be notified if their personal information has been compromised.
But with a new president and the nation mired in a deep recession, what really happens in 2009 is anybody’s guess. There is one bright side to the tanking financial picture, in which banks are increasingly reticent to loan cash.

“It won’t be so easy [for criminals] to order a credit card in someone else’s name,” Bayuk says laughing.