In your opinion, what was one of the most impactful happenings or developments in information security?
Though it seems inevitable now, the first spam emails (whether you consider 1978's “DECSYSTEM” announcement or 1994's “Green Card lawyer” spam to be the “first”) were certainly shocking to email users at the time and created the spam industry and, ultimately, the email security market. By its very nature, the openness and flexibility of email makes it prone to this sort of exploitation. Now, more than a decade or two on, inbound email security is still a huge issue.
How do you see the industry evolving over the next 20 years?
While threats will continue to evolve (and increases in computing power will make them more complex and potentially more dangerous) and new security issues will emerge around every new technology, communication channel and regulatory issue, one thing won't change: The “human” factors that are really at the core of information security risks. There's a lot of room for innovation around addressing those issues, whether in the area of usability, end-user education or systems that are more proactive in assessing and addressing emerging risks.
Who has made the biggest impact on the information security industry and why?
There's no one person, but from the email security perspective the risks originate from two sources, the “bad guys” and your own email (or other IT system) users. Malicious groups and individuals, whether they're motivated by profit or notoriety, have shown some pretty amazing innovation in their efforts to bring down networks, steal personal information and compromise IT systems. On the other side, end-users (whether they're business users or consumers) simply trying to enjoy the benefits of information technology or get their jobs done are both targets for the bad guys and sources of other types of risk, such as data loss, compliance violations… or just general IT consternation!
What are the major vulnerabilities or threats that you think industry players will worry about over the next 20 years?
We'll definitely see security issues and solutions around SaaS and cloud computing at the forefront of information security for the foreseeable future. As more and more data moves “to the cloud” and as systems become even more interconnected and interdependent than they are now (not to mention the huge number of new users and systems that will come online in the “developing world” over that same period) this will become even more critical. As an industry we'll also have to address the same macro issues that every sector must address over the next 20 years – including reducing the environmental impact of what we do and dealing with an increasingly complex global political environment.