Archive for December 2009

One More Prediction for 2010, But Are We Going to Heed It?

December 28, 2009

In our last post we gathered together the pundits’ predictions for 2010, but perhaps predictably (sorry), they seem to be more about a focus on surprise and novelty than actual risk-based predictions. In fact, few of these pundits even mention what is probably the greatest risk of 2010.  Even worse, even those who know what that risk is are not acting strongly enough to manage it. (more…)


Top 10 List of Top 10 Lists

December 17, 2009

It is that time of year when everyone likes to make their predictions for next year.  IREC just released our own list (see the previous post).  We thought it would be fun to round up the security-related prediction lists we could find (many are not actually “top 10” but some other number).  By gathering them in one place, we can compare and contrast them to see how much agreement there is (not much).  Also, it will make it easy to come back in 12 months and see who was the most accurate!

  1. IBM and Sophos
  2. Websense
  3. Symantec
  4. Zscaler
  5. Symantec (again)
  6. IBM (again)
  7. Lee Clemmer
  8. Fortinet
  9. Mark Weatherford, CISO, State of California
  10. Dan Kaminsky (same article as above)

Edited to add 11 and 12: Howard Schmidt, former eBay CISO and vice chairman of the President’s Critical Infrastructure Protection Board, and the folks from ICSA Labs.

A few trends that showed up on several lists:

  • Increasing use of social media sites as an attack vector
  • Cyber criminals increasingly use “the cloud” as a resource (use it legitimately, not an attack vector)
  • MacOS-targeted malware increases, resulting in a stronger  security stance at Apple
  • The cloud will be a big security risk. Or it will make things better.  Or something.

Edited to add a new common trend: Windows 7 will contain security flaws.

I don’t think it’s a knock on Microsoft to say that predicting that software as complex and multifaceted as Windows 7 will have security flaws is about as useful as predicting that the sun will come up tomorrow.

Edited to add 13: another 10 from Verizon Business’ Security Blog. Two of their predictions are in direct opposition to the trends we pulled from the other lists. They believe Win7 will be surprisingly robust, and that Macs will not be a special target of attacks.

Howard Schmidt, former eBay CISO and vice chairman of the President’s Critical Infrastructure Protection Board, and the folks from ICSA Labs

10 Information Risk Imperatives for 2010

December 15, 2009

The  2010 information risk landscape will be defined by continued uncertainty in the broader business environment and the ongoing evolution of enterprise boundaries.  Organizations that effectively manage the downside risks to information in this environment will be well positioned to take advantage of the new opportunities that such an environment brings.

IREC has just published our 10 imperatives for 2010 that CISOs should consider in advance of the new year.  In particular, CISOs should be prepared for structural changes on four fronts:

  1. IT Architecture – More widespread adoption of cloud computing technologies will mean that IT infrastructure and data increasingly reside outside of traditional enterprise boundaries, beyond the direct control of the IT and Information Risk teams.
  2. IT Innovation – The ease of adoption associated with social media technologies, Windows 7 (which most organizations will be using by 2011), and other user-developed applications platforms means that business users, not IT, will be driving some of the most visible and potentially risky changes in IT.
  3. Risk Ownership – New regulations on the horizon and a board-level focus on cross-functional partnerships dedicated to risk management means CISOs will be called upon to share risk ownership with an increasing number of partners.
  4. Geographic Diversification – With limited growth forecast for OECD economies in 2010, many enterprises will be shifting emphasis into higher-growth but less familiar emerging markets, potentially requiring additional risk assessment and bespoke mitigation solutions.

After the jump, I’ve included the full list.  If your company’s not a member of the Council but you’re interested in more details, shoot me an e-mail at gyoung (at) executiveboard (dot) com.

What trends did we leave out?  What trends are most important to you?


IREC in Wall Street Journal article about email monitoring

December 1, 2009

Quoted as “The Corporate Executive Board”, we supplied some commentary and data for an article in the European edition of the Wall Street Journal.  The article is not available online, but it appeared on page 31 of the November 24 issue. (It is similar to the article “Some Courts Raise Bar on Reading Employee Email” from the US edition, but focuses on EU/UK issues.) We’d like to take advantage of the extra space available here to clarify our main points and provide additional data to those cited in the article.