SC Magazine turns 20 in November, but, if Marcus Sachs is correct in his forecasts, this milestone anniversary is no portent of long-lasting good times.
When he says that, the director of the SANS Internet Storm Center isn't making predictions on the viability of 21st century journalism. (There're enough bloggers to pontificate on that subject, anyway). Instead, Sachs is reflecting on the future of information security, which he believes will look drastically different in another 20 years.
In fact, he says, it won't be much of an industry at all.
“It's going to become part of the other manufacturing processes,” he says. “This may be the last decade or two where [IT security] is going to be a separate skill. This stuff can be built in. There are not too many magazines for boilermakers anymore.”
Sachs made it clear that was not trying to perpetuate a “doom-and-gloom” scenario for the IT security space. He just wants security professionals (and magazine publishers) to be aware that the industry likely will shift from standalone to baked-in.
“Look over your shoulder and see what's happened with other technology waves over the years,” he says. “We will continue as a human society. But infosec is not going to last forever. I don't care what anyone says.”
Bruce Schneier, chief security technology officer at BT, says that as more businesses embrace cloud computing as their preferred IT delivery model, security will be almost entirely outsourced.
That means on-demand platform providers such as Google or Facebook, or managed security companies, such as IBM, will be responsible for purchasing and implementing security. A person inside end-user organizations will be charged with overseeing this process, but he or she won't need to look after anything in house.
“Nobody actually wants security ever,” he says. “You want the thing that you want. You're forced to deal with security because the stuff you buy (stinks). But that [will] become hidden.”
Schneier says information security won't be much different than, say, buying a car, where all of the safety elements, such as brakes, already are constructed in to the final product.
“You don't have to buy an air conditioning but say, ‘I have to get these wires shielded because they're dangerous.'” he says. “That doesn't happen.”
However, John Pescatore, a vice president and research fellow at Gartner, isn't ready to wheel in the coffin. He says there may never come a time when security isn't something that has to be bolted on at the end.
In challenging Schneier's comparison to automobile safety: “That's thinking that the IT world will be as stable as the mechanical engineering world,” Pescatore says. “You can't do that in IT security. Nobody can make the driver think the traffic light is green when it is red.”
Of course, in the cyber world, somebody can make users believe they are somewhere on the web where they actually are not.
Pescatore says internet security will live on as successful trade because the cyberattack surface is far-reaching. Infrastructure administrators make mistakes and they do not have the capability to keep up with sophisticated threats like security-specific providers do.
“The vision of being able to treat it like a utility depends on software engineering to not be an oxymoron,” he says. “You cannot treat the internet like infrastructure, like you can [for example] water. Security will still be separate from the infrastructure.”
He does believe the delivery model for security will change. In some cases, wired and wireless carriers (Pescatore expects a huge rise in wireless use as the perimeter dissolves and speeds become lighting fast) will offer security-as-a-service (SaaS) to organizations. In other cases, businesses themselves will still manage their own security, but it will be delivered by SaaS providers.
“I think 20 years from now, plenty of enterprises – in fact, most – will still have their own local data centers,” Pescatore says.
Sachs says he wholeheartedly disagrees with Pescatore. In the meantime, though, while the existing model is still active, he also notes that he expects security vendors to be forced to license their products – much like other manufacturing firms must do – to ensure that their claims are valid.
This has to happen, especially considering the world now fully relies on software and hardware – yet there is no accountability for a broken security product and no formal means to investigate a product failure, Sachs says.
“There isn't any other industry – from dog groomers to plumbers to real estate professionals – that doesn't require the professions to be licensed,” he says. “[IT security] doesn't really have to measure up to any type of performance standard.”
As for the threats, Schneier is convinced that internet service provider (ISPs) must take the initiative on solving the internet security dilemma.
“Who else can make sure my mother's anti-virus is up to date besides an ISP?” he asks. “The basic security rule is that the entity that is in the position to mitigate the risk needs to be responsible for the risk.”
Sachs, meanwhile, believes that a lot of today's most pernicious attack methods used by criminals, including phishing and identity theft, will largely be solved in the future. The criminals will move on to their next moneymaking method. What exactly that will be depends on what technology emerges over the next 20 years, he says.
Pescatore says retailers, in particular, will continue to get crushed. Encryption may become unbreakable – but key management still will offer the same headaches as it does now.
“If there wasn't going to be hacking, it would have died first in retail,” he says. “But people are clever or employees are dishonest. Retail is 2000 years old and the theft hasn't gone away.”
One thing we know: SC Magazine is 20 years old, and the need for information security hasn't gone away yet either.