Steve Robinson is the vice president of Development, Product Management and Strategy for IBM's Security Systems Division.
During the past year, I spent a lot of time traveling the globe, meeting with clients and industry experts to discuss security. Those discussions gave me a keen sense of the pain points -- and the advances -- we will be learning to adopt to moving ahead.
So as 2012 winds down, one of the busiest years for enterprise security, let's look ahead to 2013. In truth, the rapid pace at which technology is evolving is creating challenges for enterprises and their security officers as they plan out their strategies for 2013.
In 2012, we saw growing complexity with the evolution of key technologies such as cloud, big data and mobile computing. We saw increased concern at the impact of sophisticated malware on operations and business continuity across the enterprise. Finally we began to question the traditional views of security with regards to where the threats reside. As we close the books on 2012, much progress has been made, but I think the entire industry will agree that much work remains in 2013.
From insights I’ve gleaned from talking to chief information security officers, as well as my security scientists at IBM, I’m optimistic on some topics and remain concerned about others. Here’s what we can expect in 2013 and beyond:
1.) In 2013, cloud security will go from "mystery and hype" to "secure and move-on." Service providers are taking security more seriously, pushed by customers who expect better service. Meanwhile for both public and private cloud, we are making technological progress (in federation, encryption, virtualization security and monitoring), which provide a reason for optimism.
2.) Likewise, despite the buzz, I’m optimistic about security for mobile computing. By the end of 2014, mobile devices will be more secure than laptops are today. Device makers and service providers have stepped up their efforts. Meanwhile, technologies are emerging to manage devices, encrypt them, separate data and monitor usage that will leapfrog the technology for laptops of today.
3.) Compliance will remain a surprisingly robust security driver through 2015, driven by country-level cyber efforts maturing. An influx of advanced threats put compliance on the back burner in 2011, but is now driving new legislation. Watch out for more regulations and more need to automate controls and reporting.
4.) The type of data collected and inspected to detect advanced threats will balloon in variety and volume by 2016, with a focus on finding the needle in the haystack. Security intelligence is a key factor in helping companies get smart about what is actually happening on their systems. Traditional security solutions will break as customers want to inspect more varied and voluminous data streams.
In addition to these broader predictions, here are some other observations that we’re bound to see, which move us beyond the headlines to what security execs are preparing for over the next few years:
5.) Our 2012 Chief Information Security Officer (CISO) study showed that most CISOs report to the CIO. This will change. Security groups will become more independent, with CISOs breaking away from reporting only to CIOs, instead getting more direct lines to the audit committee and risk officer.
6.) Data scientists will be in high demand for security. Data scientists will be dedicated to analyzing and correlating security data as well as unstructured business data to find the breach needle in the corporate haystack.
7.) Reduction of threat data sharing boundaries between government and private sector, and among private sector companies themselves. Organizations are realizing they need to share information to stay ahead of security risks and threats.
8.) Firms will begin monitoring the info shared on social dark channels. Organizations believe that social data/hacker channels can be mined for data/clues that indicate which companies are being targeted. The information can be monitored either internally, or achieved via a service.
9.) Unlike the last compliance wave, the current one will be weighed against the rise of a risk-based approach to security. Security dollars must be spent to enhance security and not only to check a compliance box.
The best defense is often a good offense. Getting ahead of the threat, planning now for what you know is coming in the next few years will go a long way in protecting your data. Much like this past year, 2013 is sure to be an active and exciting year in security.