Art Coviello, Executive Vice President EMC, Executive Chairman RSA, The Security Division of EMC
It’s that time of year again when I make my bold (“somewhat safe” depending on your point of view) predictions about IT security for the upcoming year – 2013.
The French journalist, novelist and social commentator, Jean-Baptiste Alphonse Karr, is the author of the witty expression, “plus ça change, plus c’est la même chose” which, as is almost always the case, sounds much more melodic than the English, “the more things change, the more they stay the same.” In reviewing my prior years’ prognostications, that phrase immediately popped into my head. How not to be repetitious when we face many of the same challenges?
I am not sure I can because:
1. The hackers will likely get even more sophisticated.
Evidence of criminals collaborating with rogue nation states, exchanging methodologies, buying and selling information, and even subcontracting their respective capabilities expands their collective reach and enhances their mutual learning curves.
2. Our attack surfaces will continue to expand and any remaining semblance of a perimeter will continue to wither away.
Both will surely happen.
My EMC colleague, Chuck Hollis, in his set of themes for 2013 says that next year organizations will come to terms with the pervasiveness of mobility and start to catch up on the offering of services to their users. Bingo. Wider attack surfaces. In addition, and somewhat needless to say, but I’ll say it anyway – the slow but steady march to cloud-oriented services will once again expand attack surfaces at the expense of the perimeter.
This all leads me to my next moments of déjà vu which include:
3. These changes will occur whether security teams are ready or not.
In too many cases, not. There is a critical skills shortage of security professionals and many organizations can’t keep up.
4. And, national governments will continue to diddle or, should I say, fiddle (while Rome burns), failing to legislate on rules of evidence, information sharing and the reforming of privacy laws.
Lack of privacy reform is particularly troublesome based on today’s realities because many organizations have literally been put in the position of violating one set of privacy laws if they take the necessary steps to protect information (which they are legally obligated to do based on another set of privacy laws). Confused? So am I, but how would you like to be confused – and liable?
I abhor the phrase “Cyber Pearl Harbor” because I think it is a poor metaphor to describe the state I believe we are in. However, I genuinely believe we are only a whisker away from some form of lesser catastrophic event that could do damage to the world economy or critical infrastructure.
5. It is highly likely that a rogue nation state, hacktivists or even terrorists will move beyond intrusion and espionage to attempt meaningful disruption and, eventually, even destruction of critical infrastructure.
If all of this sounds depressing, well, it is. This isn’t fear mongering. It is a plausible extrapolation from the facts. But we can change the trajectory. There is already a tectonic shift underway from a perimeter to an intelligence-based security model.
In an age where breaches are probable, if not inevitable, organizations are realizing that static, siloed, perimeter defenses are ineffective against the evolving threat landscape. Only an intelligence-based model that is risk-oriented and situationally-aware can be resilient enough to minimize or eliminate the effects of attacks.
So, now comes the good news:
6. Responsible people in organizations from all verticals, industries and governments will move to that newer intelligence-based security model and pressure governments to act on our collective behalf.
7. I also predict a significant uptake in investment for cloud-oriented security services to mitigate the effects of that serious shortage in cyber security skills.
8. Big Data analytics will be used to enable an intelligence-based security model.
Big Data will transform security enabling true defense in depth against a highly advanced threat environment.
One final note. If we want to avoid going over the “security” cliff and really want change we can believe in, we must act more collaboratively and decisively than ever before. The stakes are getting too high for us to wait another year.
This post originally appeared on Forbes.com on December 7, 2012.