Grasping all dimensions of cyber-security in 2000 has been a challenge. Enterprise security in the new millennium just isn't what it used to be. In the good ol days--a couple of years ago--firewalls were for servers, and the Internet was for desktops and laptops, not mobile telephones or PDAs. E-mail brought documents from business partners, not Love Letter A from your worst nightmare.
With new security perspectives and protection imperatives, 2001 won't be just another year in paradise. Purgatory will prevail and will likely continue throughout the coming year. Here's why:
Trends For 2001
Superb technology is a necessary, but insufficient condition for success in today's security market throughout 2001. Several other security vendor factors, including business model, marketing acumen, and client relationship management, must work together in the coming year to generate excellent, effective, and reliable protection.
The following trends will influence the security market in 2001:
1. Continued vacillation will occur regarding where security protection fits into operating system, application, Internet, and telecommunication infrastructures. That is, should enterprise security functionality be modular, integrated within products, or administrated as a service. Companies have been unable to answer this question because cyber-security product development decisions, like most in the high-tech markets, are not based on logical and integrative design, but instead on competitive advantage and company strengths.
2. The managed security services (MSS) market will expand rapidly on both vendor and client sides. Large, pedigreed corporations with track records related to cyber-security (consumer, business, or consulting related) will develop or roll out new MSS offerings. Many smaller security start-ups will emerge supplying unique protection offerings. This market will continue to grow rapidly.
3. Security services will be expanded to include breach forensics, investigative services, and litigation coordination. These tail end services deal with evidence preservation, breach loss identification and analysis, and civil litigation to obtain actual and punitive damages.
4. Large to enterprise-level firms will progressively establish chief security officer executive offices as hubs to integrate all security services.
5. Corporate security investment confusion will continue due to best-of-breed, point solution vendors competing against integrated, proprietary solution providers. The question for corporate security decision makers remains: Which solution will be more productive and cost effective, separate products for different security applications (i.e., firewall, e-mail, encryption) or integrated proprietary solutions?
6. Security specialists will become more recognized as professionals, bringing with them unique training, certification credentials, and background requirements (i.e., college degree, background check, financial security). The current shortage of well-trained and experienced cyber-security professionals will intensify, leading to even higher salary levels.
7. Program code development will explicitly integrate security design and testing procedures.
8. Security in this developing market will include both technical (e.g., VPN, firewall) and physical (e.g., facility protection, area access control) security skills. Technical and physical security considerations are increasingly interrelated, and must be managed from a holistic perspective.
9. Universities and colleges will offer new graduate programs in cyber-security, either through computer science departments, business schools (computer information systems), or specialized computer engineering programs.
10. Cyber-security insurance will become a standard protection component in large and enterprise-level corporations. While insurance standards remain to be developed for e-business, this market will be so lucrative that insurance firms will develop unique metrics to insure the most prominent companies.
It's Not Just Cyber-Security Anymore
The above trends foreshadow a daunting new year for enterprise security. We live in interesting times--dangerous and exciting. New disciplines are needed for effective methodologies, and innovative legions of security professionals are essential to bring this field together.
While the Certified Information Systems Security Professionals (CISSP) security certification seems to be gathering respect and support from business and government communities, little beyond product certifications takes into account the tools and skills needed for cyber-protection in the new millennium. Interestingly, the e-security model is changing to encompass more of the real world.
Online and related offline (e.g., portable computer theft) attacks will continue to grow, creating a need to maintain safe work locations both onsite and offsite for employees and customers alike. Physical security skills, such as facility planning and equipment theft prevention, will also be required to integrate cyber with physical protection. Chief security officers' responsibilities will entail computer and telecommunication systems, access control, logon authentication, asset protection, employee background checks, and user security training.
Good news and bad news for 2001 differs by sector. Organizations searching for reliable and cost-effective protection can take heart that new MSS providers will be offering a variety of packages. The bad news is those providers will often be unstable, still developing internally, and suffering from the same lack of experienced professionals that their clients face.
All in all, 2001 is shaping up to offer something for everyone, but total satisfaction for few. //
Dr. Goslar is principal security analyst for E-PHD LLC, a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.