According to SystemExperts' President Jon Gossels, after reflecting on the hundreds of projects his company has undertaken this last year, "2005 saw no earth-shaking developments that changed the security landscape."
He and our Board members are right, of course. However, I tend to think that while innovative thinking and solution development may have hit a speed bump, just like Gossels says, 2005 "was anything but a quiet year."
Not only did increasing ID thefts, targeted attacks, continued blended threats and overlapping regulatory requirements bring IT security issues to the attention of CEOs, CFOs and company boards, they also prompted corporate executives to continual assess and improve security functions to ensure privacy and compliance. (And auditors everywhere cried out with glee...) And while this may sometimes translate into mere checkboxes to be ticked off the list for some companies, it does mean that information security is getting more notice from executives, board members and business units.
Further, as Gossels points out, regulatory and customer demands are prompting executives to depend on security standards to formalize their approaches to information security throughout the business. This is another good thing -- as long as these standards, like privacy/security and compliance efforts themselves, don't turn into window-dressing for an information security house of cards. That is, these standards and information security labors on the whole need to be backed up by consistent, continual and real IT security policies and procedures that directly improve new and existing business projects and operations -- and, ultimately, brand and profits.
Changing the way corporate leaders think about IT security will take time. 2005 seemed to be the first period during which top executives understood the advantages of IT security -- a welcome way of thinking no matter the motivation (whether it be brand enhancement, regulatory compliance, customer demand or disaster preparedness).
So maybe nothing too earth-shattering happened in IT security last year. Yet an innovation in thinking occurred in another way. While information technology might evolve at the speed of internet time, acknowledgement and acceptance of the need to secure it is a slow-burn. And, finally, it is burning a little stronger.