The decade ahead

I wrote the following piece in response to a request for input by David Lacey on his blog.  David and other luminaries in ISSA-UK had a meeting to discuss what they feel are the biggest security challenges we'll face in the decade ahead.  An ISSA White Paper is planned at the end of this year, so it would be good for the wider infosec community to collaborate on this.

I composed the following as a reply to David's blog but for some reason the ComputerWeekly site refuses to accept it.  Perhaps it's too long or goes against their editorial principles, who knows?   Anyway, here's what I wrote ...


FWIW my main concern for the decade ahead is the increasing power and resourcing of the black hat community - not so much the lone home hackers and hacker clubs (who are formidable but rather fragmented and from what I've seen relatively benign, well-meaning even in some cases) but the true criminal community that increasingly uses hacking and social engineering to harvest the real gold out there: the major corporates with lax security, negligible security monitoring and mostly not a clue that they might even be in the gunsights.  There's a positive feedback loop at play: as the black hats successfully exploit small targets and get away with it, so they build up their resources (knowledge and cash) to invest in attacking bigger targets with more advanced weaponry.  They can afford the R&D.  We can't.

At the same time, the white hat community has basically stalled.  So long as you and others continue to press the line that legal/regulatory compliance is the most effective way to make corporates become more secure, we're on a hiding to nothing as far as I'm concerned.  Compliance achieves the least amount required, and that under sufferance.  It's hardly destined to show senior management The Light, namely that strong security makes good business sense, enables them to do more stuff safely, protects their most important and valuable corporate assets, and gives them a substantial commercial advantage over their insecure peers who are 'accidents waiting to happen'.  Security-for-compliance is just a nasty, inconvenient and distracting annonyance, a cost of doing business.  It's a bit like 'tidying the place up because the auditors are coming' as if a tidy office will distract them from seeing the fundamental flaws all around them. 

The black hats love compliance, so long as that means they can safely assume their targets will have made the least possible effort to meet the bare minimum standards to the letter, while largely ignoring all the supporting things (such as the human factors - security awareness, competence, training, qualifications, procedures and all the other good stuff in your book!) that are actually required to become secure.  If those are not mandated, they evidently don't matter so they aren't being done.  That's the dark underbelly of compliance.

As an ardent fan of ISO27k, I'm dismayed, not to say horrified at the general lack of uptake of the ISMS approach.  With just a few thousand organizations certified to ISO/IEC 27001 so far, and a few tens or hundreds of thousands more using the standards without being formally certified, this is barely scratching the surface of the millions of organizations Out There and all those accidents-in-waiting.  Most managements will spend as little as they possibly can for PCI-DSS or privacy/data protection compliance, but won't take the next bold step of consolidating all those point solutions into a coherent information security management system, and working to fill the gaps.  One of these days, they will run out of fingers to plug the holes in the dam.

Oh well, I guess you can lead a horse to water ...

Cheers,
Gary