December 30, 2008, 4:06 PM — My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should. As always, take these with a grain of salt.
Though these predictions are based on primary research and many, many discussions with CSOs, they concern information security only and can be affected by external factors that are unpredictable (at least by me). Case in point: My predictions for 2008 did not take into account a severe downturn in the economy that was underway already at the beginning of the year. Let's hope that my 2009 predictions also miss the mark by assuming a continuation of economic difficulties that turn out to be less severe than predicted. Here goes:
Host-based security becomes the focus for 2009. The imminent release of Windows 7 and the continued interest in Mac OS and Linux as alternative desktops are once again focusing attention on operating-system and endpoint security.
Mobile security concerns and solutions grow. The Android and iPhone platforms continue to grow, and with them comes an ecosystem of independent application developers. With mobile platforms truly becoming "platforms" for all kinds of new applications, security issues are not far behind. 2009 could be the year of the first widespread security scare on a mobile platform. Perhaps a rogue application? A Trojan?
Encryption grows. At-rest encryption of hard drives on all desktop systems becomes the norm. Servers still lag behind. Encryption of mobile-device storage starts getting interesting. And once again in 2009, it's still impossible to send an encrypted e-mail to someone without making special arrangements in advance. Public-key infrastructure (PKI) encryption remains fragmented in small disconnected islands. Ugh.
No news is bad news. There are no new, high-profile, fast-spreading mega-worms. The world rejoices at the defeat of malware. Meanwhile super-stealthy malware spreads further than ever before, and those in the know quietly weep.
New botnets are discovered and they're bigger than ever. The malware industry feeds the ever-increasing botnet industry. As usual, most of the innovation happens on the "other" side of the industry. Botnets' makers continue to build incredible distributed, encrypted, anonymous, unbreakable command-and-control systems. Who said there are no profits to be made in 2009? If only BTNT was a publicly traded stock!
Regulatory compliance is back with a vengeance. All the scandals and Ponzi schemes you heard about in 2008 become subtitles for new regulations in 2009 and beyond. Regulations in hedge funds, credit-default swaps and derivatives are just the beginning. A whole new industry of auditors, special software and consultants rises up to meet the challenge. You thought SOX was a pain? Just wait.
Security projects struggle for funding. It will take a lot of arguing to get a budget for more than upkeep in 2009. But wait, regulatory compliance comes to the rescue: Use compliance to push through budget requests on everything. It's 2007 all over again!