Sunday, April 11, 2010

Trends in InfoSec for 2010

I probably should have done this earlier in the year but I figure I'll stake my turf and make a few calls right now for the next 12 months.

What are the hot areas of movement for information security? What do I predict will be key areas of growth and potential spending? I've some books and blogs on this stuff recently and I find myself either nodding in agreement or shaking my head.

In no particular order, here's mine:

1. Cloud Computing
Unless you've had your head in the sand for two+ years, you've heard of cloud computing by now. Apart from the obvious issues of cloud usage, I believe the bulk of spending for cloud will be on security consulting - risk assessment, assurance services, architecture. I suspect within this time, standards, compliance benchmarks and laws will start to emerge to help formalise key expectations and requirements on cloud usage. This means potential cloud clients will be spending, likewise CSPs will be looking for assistance. The demands put on them will only increase as the market demands a more mature offering.

I admit it may be a stretch to say that laws will be passed within 12 months for a specific technology - but I will go so far as to say that you will see something along those lines or at least calls or proposals for them. I think something more formal may come of the Cloud Security Alliance and ISACA alliance but that really is just a hunch.

2. Mobiles
Iphones, Ipads, Androids, the new Nokias, notebooks, etc, the list goes on. The ubiquity and pervasiveness of mobile technologies has never been greater and with it the need for data portability and therefore, security. The Rick Rolled Iphones are the tip of the iceberg. Lets face it, Windows was - and still is- the primary target for malware largely owing to its popularity. Iphone malware is coming. Everyone thinks Apple are somehow magically immune to security bugs and I think people are in for a rude awakening as the line between mobile phones and personal computers are heavily blurred. Also consider the number of applications being developed for Iphones. This potentially opens the proverbial can of worms. After all, your PC doesn't follow you everywhere, have GPS, a microphone that could be used to listen onto your daily conversations, let alone all your phone calls, rifle through your contacts, email and banking details whether you access it via. the phone or Internet!

Initially at least I imagine it will be consulting that is where the money will be spent - e.g. whether companies should evaluate their mobile usage policies, what controls can be embedded into the devices (e.g. tracking, remote wipe), more conventional technologies (data encryption), etc. I'm not heavily involved in the vendor side, but I would expect they would be conducting lots of testing to determine inherent weaknesses with their design. Within the next few years, I guarantee you this area will grow into a mainstream area of its own domain within information security. This segways nicely into my next point...

3. Application Security
I'm talking more about the Australian market now. Big Aussie institutions have been more aware of the need for application security for sometime and have been getting smarter over the past few years (although we definitely lagged behind many countries) . But far too many people remain largely ignorant. For organisations relatively immature in the appsec space, I expect we will see an awakening.

For the more mature ones (e.g banks) it will become more of streamlining processes, evaluating key areas of risk for enhancing already robust application development and testing procedures. Examples - application developer training, appsec metrics, static code analysis tools and vendor bake-offs, etc. If you work in the space and are reading, I'd love to know more about your thoughts on appsec metrics and just how many people are trying to put some measures on the effectiveness of application security. If you're developing payment applications and have to comply with PA-DSS, this is a no brainer too.

4. Contractual Obligations
Between SOX, HIPAA, various ISO standards, PCI-DSS, etc, everyone and their dog it seems has to be compliant with some piece of legislation or standard. This means more and more people are realising the need to be crystal clear in their expectations of their service providers, trusted partners, downstream clients, etc. Security requirements will be firmly embedded into these contracts. Conversely this will create top-down awareness in business stakeholders, which will drive the spending on information security. This has happened more in the US for some time, given the compliance driven market conditions however it is already trickling into the Australian arena. Our laissez-faire approach to contracts and compliance is starting to come to an end IMHO.

5. Managed Services
I've often wondered why people don't just ride the veritable cashcow of managed services? I imagine outsourcing security monitoring could be one awesome, easy to deliver service that makes a perfect example for managed services. Security operations requires teams of staff, ideally around the clock, a strong technical capability to distill potential threats from various sources, keeping the defences up to date, as well as stay abreast of arising threats. The overhead in managing all this is actually a very high cost. Inversely, as a managed service, the cost in doing this actually scales quite well. 

If you wanted to do your own startup, you should investigate this. In a world still recovering from the GFC and even in Australia, while we weren't hit as hard as the rest of the world, companies are still looking to cut their spending. The ability to outsource even some of their monitoring, if not all of it, could be quite enticing to companies look to shed some of their OPEX burden.

6. Training 
We are at a moment in time when information security in strong demand yet the actually skilled staff required are quite low. For those looking to break into infosec, they will pay for that training, out of their own pocket if they have to. This is a no brainer. Conversely, skilled staff will want to stay current and continue to push for training relevant to their role. If companies won't pay for their upskilling, chances are they will jump to find those who will. Or they will pay for themselves and then quit anyway. In cases where the responsibility must be delegated onto a staffer with an existing role, then those staff will most likely need to be upskilled accordingly.

If you maintain infosec staff in house, then you better be training your staff and keeping them happy campers because right now, the market is hot and for experienced staff they can take their pick of the jobs they want and practically name their price - because the alternative is to try and import the talent and that often comes at a significant cost. And even then, the pickings are slim (and no, I'm not just making this up either).

Anyway, thats it for me. I'd love to hear back from insights from other infosec professionals reading.

- J.


Christian said...

I agree with a number of sections, and I found the last one on training ringing very true. Then it got me really angry because whilst you commented that Australia might lag behind other countries in certain spaces, Perth certainly lags behind the rest of the country.

Especially with training. If you're interested in technical security type training that ISN'T about managing a cisco firewall and you can't leave the state then you're shit out of luck.

And whilst I think I'd like to imagine that I could train myself and then leave to a better job, the market here still "feels" too small.

I'm also not entirely sure I can agree with your comments on assuming the banks are more mature at application security. .. but that might just be my experience. (For example, how are you measuring maturity? You seen any company in Australia go through an OpenSAMM or BSIMM exercise?)

Jarrod said...

My comments on the banks are based around conversations with mates that happen to work in infosec in that space, some of the hiring patterns I've seen and presentations at OWASP. So to some extent, I do have the inside track on that I think. :)

There is training online (SANS, infosecinstitute) come to mind, but you're right - if you live in Perth you're pretty much shit out of luck. Most of the guys I know who work in IT end up moving to Melbourne because of the frustration they experience with the Perth IT market in general.

You could start your own training business on the side however...? :D

- J.

Christian said...

Yeah, I too have seen many a fellow info sec friend leave for greener pastures on the east. I sometimes just don't get it, especially recently because WA has been having such a boom as of recent times.

I do like your proposal though for a training side-business and wish to subscribe to your newsletter ;)

mhackling said...

I can second your trend on training. Some of the larger jobs around have been appsec training related mostly around embedding extra security gates into the SDLC like new coding standards, static code analysis to complement the existing risk assessment, architecture documentation and security acceptance testing.

Barry Watkins said...

Great Blog Jarrod, love your thoughts on where things are going in 2010.