CNET también está disponible en español.

Ir a español

Don't show this again

Security

10 things to know about info security in '07

Jon Oltsik offers his take on the top trends destined to affect the information security business this year.

As I write this column, it is a balmy 55 degrees here in the Boston area--hardly the type of weather that drives New Englanders to start planning for the new year.

Nevertheless, the holidays have come and gone and it is thus time to take a stab at forecasting what to expect in information security over the next 12 months.

1. More privacy legislation
Now that the midterm elections are behind us, the folks in Washington will take a break from spending our money and focus on protecting our money. Democrats like Sens. Chuck Schumer of New York and Dianne Feinstein of California love this issue anyway and it makes good press--who wouldn't be in favor of cyber-protection for their constituencies? Look for a lot of grandstanding early in the year followed by the passing of a new data privacy bill sometime in the fall.

2. Data governance
Total data capacity continues to grow around 50 percent annually, but few companies do a good job at classifying data, tracking its movement or monitoring/enforcing privacy policies. This is the most obvious reason why there are so many data breaches so often--no one has any idea of what is stored where. Rather than address this with tactical point tools, look for large organizations to get serious about data governance this year. This will drive lots of large professional services work and further industry consolidation as the EMCs, IBMs and Symantecs of the world scoop up specialists like Liquid Machines, Vericept and Reconnex.

By 2008, many security professionals will stop their incessant bad-mouthing of Microsoft.

3. IT risk management
As security becomes less tactical and gains a business/enterprise orientation, information security will morph into an evolving category called IT risk. More firms will create chief IT risk officer positions who manage system availability, performance management, disaster recovery, backup/restore, information security and IT's contribution to regulatory/industry compliance. Look for more adoption of IT governance models like ITIL/ITSM, CoBiT and NIST-800 series to dovetail from the IT risk management trend.

4. Secure software development
By the end of 2007, many enterprises will mandate that their independent software vendors and outsourcers have formal demonstrable processes for software development, similar to Microsoft's Security Development Lifecycle (SDL). Reactive software vendors will scramble to establish these processes while professional services organizations like Symantec (@Stake) that focus in this area will suddenly have more work than they could have ever imagined.

5. Encryption everywhere
PCI and new privacy regulation will act as the hammer, but there will be more and more encryption solutions coming from the industry. New databases have row level encryption baked in as do disk and tape drives from vendors like Seagate, IBM and Sun. Windows Vista BitLocker will also drive mass encryption deployment as it gains momentum throughout the year. By 2008, encrypting data won't be as big a deal. Alternatively, encryption key and policy management will become a huge issue overnight.

6. Network reconstruction
Network upgrades are ongoing, but the Y2K-like IPv6 upgrade process will take off in 2007 driving major network overhauls. Next-generation networking equipment will include security features like access controls, application-layer filtering and multilayered encryption in its design point. So expect vendors like Enterasys Networks, Extreme Networks, Hewlett-Packard and Juniper Networks to try to trump Cisco Systems by flexing more and more security muscle.

7. Security management
While growing, this is an extremely immature market as evidenced by the fact that a VC-backed start-up like ArcSight is still the market leader. The tables will turn in this year as Cisco, EMC, IBM, Novell and others look to leverage their recent acquisitions. Look for the big guys to bolster professional services in this area and add network behavior anomaly players like Mazu Networks and Q1 Labs to round out their portfolios. By the end of the decade, security management will slowly and quietly become a component of network operations.

8. Fire sales and failures
In 2007, VC-backed companies like ArcSight, Fortinet and Webroot Software have their backs to the wall. Each has done relatively well in the market, but these guys raised tons of money and there is not a profitable exit strategy in sight. For example, Webroot raised more than $100 million in funding and its main product has become a feature in Kaspersky Lab, McAfee and Zone desktop security. Yikes! With the competitive heat rising rapidly, look for a VC tag sale this year or Chapter 11 declarations next year.

9. Microsoft gains security respect
I know I'll take some heat for this one but by 2008, many security professionals will stop their incessant bad-mouthing of Microsoft. Why? Products like Forefront and Windows Vista will open a lot of eyes, but Microsoft will also provide a well-integrated security alternative, especially for small and midsize businesses. By 2008, Rodney Dangerfield will have to find a new information security home. I hear Redwood Shores is available.

10. Identity management plods along
This sector is also due for explosive growth. Government initiatives (think HSPD12), new device types and extranet applications are driving demand, while standards (SAML, 802.1x), smart new technologies like the Trusted Platform Module (TPM), and industry consolidation have reinvigorated suppliers. Slowly but surely, identity integration is getting easier, too. This means that projects can be streamlined with fewer dollars going to fat-cat system integrators like Accenture.

Many of these trends are net positives for the information security world. Despite this, we are likely to see some spectacular breaches in 2007 as well.