Managing Information Security During an Innovation Void
Although predictions for the coming year are a staple of the season, I will do more than offer an educated guess. I am going on the record with a guarantee: In 2012 we will see an increase in network intrusions from disparate parties trying to create IT infrastructure chaos for a variety of reasons primarily political, financial and economic. An easy prediction perhaps given the trend and yet while I fully trust CSOs and CISOs and security teams are doing all they can to prevent breaches; I am deeply concerned that they still lack the technology to adequately protect IT infrastructure from malicious attacks.
Thu, January 12, 2012
CSO — Although predictions for the coming year are a staple of the season, I will do more than offer an educated guess. I am going on the record with a guarantee: In 2012 we will see an increase in network intrusions from disparate parties trying to create IT infrastructure chaos for a variety of reasons primarily political, financial and economic. An easy prediction perhaps given the trend and yet while I fully trust CSOs and CISOs and security teams are doing all they can to prevent breaches; I am deeply concerned that they still lack the technology to adequately protect IT infrastructure from malicious attacks.
There are several reasons for this state of unpreparedness. Budget constraints certainly continue to be an issue even as the U.S. economy plods along in recovery mode. However, the more disconcerting limiting factor is beyond the direct control of infosec executives:the scarcity of innovation in the information security industry.
[Collaboration accelerates security innovation]
Too few entrepreneurs are bringing to market new technologies that are the core building blocks for information security. While I wouldn't go so far as the say enterprises are bringing a knife to a gun fight, there is no doubt that the industry is not keeping pace with the technology or the ability of attackers. The resulting disparity between available options and the growing challenges faced is what I call the innovation void.
Four factors created the innovation void: Cuts, constraints, consolidation and capital:
Cuts: IT spending cuts during the Great Recession were deep and have yet to recover. US Software CAPEX growth was just 7 percent as of Q2 2011, exactly where it was 20 years ago. Spending is off the lows of 2008 and 2009 but show only modest gains -- especially given those lows, is 7 percent growth really all that impressive? Many software vendors have been unable or unwilling to invest in R&D in this climate. The downstream effect is a dearth of truly new technologies. I suspect this will change as the domestic and worldwide economies -- which are now clearly and highly-correlated -- improve. In the meantime, enterprise customers can anticipate only minor improvements to infosec solutions.
Constraints:The challenge of spending cuts not only affects companies that sell information security software. The innovation void leaves CISOs, CSOs and their teams navigating increasingly complex and treacherous environments. The explosive increase in the use of employee-owned consumer technologies within the workplace -- especially mobile technology, e.g., smartphones, iPhone, iPad, iWhatever -- means information security professionals have to protect a broader plane of vulnerability, and do so with fewer resources.
