Monday, January 31, 2011

My Security Predictions for 2011

Now that I have checked my  2010 predictions (see here) and “reflected and mused” on 2010 (here), I am allowed to proceed to 2011 predictions  Smile

My past experience predicting shows that I am a cowardly, extrapolating predictor – and can get a lot of easy, obvious stuff right. Great!  I will do some of it  now as well since  there is nothing wrong with extrapolation and “Feynman prediction methodology” [=predicting that whatever is there now will stay the same in the future]), but will try to be a bit more wild, like I was in my 2020 (!) security predictions. Also, I noticed I’ve been a bit too verbose in the past, so this year I ‘d rather be brief (since I am busier).


  • PCI DSS 2.0 marches on: this is the year when PCI DSS gets even BIGGER (if you can  imagine it!). And smaller too – more smaller business will “get” PCI. Great news! On the not so good side of PCI, I predict that  a few of “validated compliant” companies will be found abysmally non-compliant and insecure: after the breach or otherwise. Maybe some QSA heads will roll as a result, especially those “remote-assessing” “easy-graders.” The challenges of compliance in non-traditional environments (virtual, cloud, mobile devices, non-traditional payment methods, etc) will rise to prominence as well.
  • HIPAA teeth: yes, this is one of those things that people has been predicting since 1996 (yes, really!), but somehow I feel like this time – in 2011 – HIPAA/HITECH enforcement will be for real.  OK…you can call me an idiot in a year, if I am wrong here.
  • Application security – and application security monitoringGunnar paradox on firewalls+SSL might finally start to break in 2011. I do predict that not just web application security, but also many internal “enterprise” application will get in scope for SIEM, correlation, near-real-time monitoring, etc. And not just at “adventurous” security leader companies, but more like in early mainstream.
  • Still no mobile malware deluge: enough about this one. Enough! Enough!! For sure, there will be isolated (and possibly pretty bad) malware incidents, but not “Slammer for iPhone” or “Blaster for Android” in 2011.  I suspect that PCs will still have more “money” and more holes and so this is what the bad guys will continue to steal.
  • Mainstream security in the cloud: yes, Qualys and a few others have been doing it since 1999 and a few cloud security providers has been absorbed into large entities (latest, sort of), but I suspect that in 2011 we will see much more of “<XYZ> approach to security of <ABC>… now in the cloud.” BTW, I mean REALLY using SaaS/PaaS/IaaS cloud options and not “press-release cloud” like many do today.
  • “New” types of incidents: going on limb, I predict a few large  (and very damaging) breaches, NOT involving regulated PII, but good old secrets. Wikileaks mentality + cybercrime resources = a fun year!
  • SIEM for dummies: OK, this is another risky one. As you know, there is no leader in the SMB/SME SIEM market and I am really looking for somebody to climb on that hill. The world needs a penultimate “SIEM for dummies.” As of today, SIEM is decidedly not.  At the very least….I am predicting the arrival of “a log toaster” Smile
  • Security vendors: despite the silly 2007 predictions by RSA CEO, there will still be hundreds of security companies around. However, some of the players will definitely feel like they”overstayed market’s welcome” (e.g. some legacy SIEM vendors) and will either die or go firesale.
  • Risk “management”:  every past year, I predicted that we will remain dazed and confused about how to apply risk to information security in an objective manner (objective, not necessarily quantitative). This year…. drumroll… I am laying these dark thoughts to rest – at least for a while. Maybe, just maybe, we are starting to see both data and approaches that will eventually give us something to work with. And not just whine about it Smile


Possibly related posts:

Dr Anton Chuvakin