IT and Compliance: Trends

Here are a few trends;

1. Targeted Attacks Escape Detection: For some time, attackers have been using malware to exploit PCs, turn them into zombie computers, and create large, distributed bot networks, especially for distributing spam and malware. Phishing attacks have also become so prevalent and sophisticated that some financial institutions report their losses related to online fraud increased five-fold from 2005 to 2006.
2. Breached Data: 100 Million Records and Counting: Driven by such targeted attacks, data breaches have reached epic proportions over the past few years. Indeed, the Privacy Rights Clearinghouse now estimates, since it started tracking data breach disclosures in February 2005, that the total number of potentially breached records surpassed 100 million by the end of 2006. Perhaps the most high-profile recent example is the TJX Companies’ disclosure that its network was hacked sometime in 2003, and the attack was not discovered until 2006.
3. Revisiting Compliance Controls: The first several years of SOX involved a mad dash to get needed IT controls in place to ensure compliance. Firms typically first instituted manual controls, and have been steadily replacing those controls with automated ones, to create more easily repeatable, demonstrable, and cost-effective compliance.
4. Better Compliance through Improved Security: On that note, experts have long argued that compliance efforts don’t automatically result in improved security. Many companies, however, didn’t seem to listen. According to new research by Forrester Research analyst Khalid Kark, “most organizations increased their regulatory spending while decreasing their security budgets and postponing security initiatives, thinking that regulatory compliance would lead to better security.” Yet “in a lot of cases,” he says, “this assumption was not true.” Furthermore by forsaking sufficient information security investments, many firms are now at increased risk from today’s more virulent and targeted attacks.
5. PCI Overshadows SOX: Increased security spending will also be needed to comply with the Payment Card Industry Data Security Standard (PCI DSS) version 1.1, which was released in September 2006. The PCI DSS is a security standard that was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help mitigate emerging payment security risks, while facilitating the broad adoption of payment account data security. Simply put, PCI specifies minimum policies, procedures, data security, network architecture, and more for any merchant handling credit card data.
6. Insider Threat Drives Access Controls: So what do Medco, DuPont, and Compulinx have in common? All suffered security breaches due to insiders. At Medco, for example, an IT administrator attempted to launch a logic bomb to delete internal information; it failed. Meanwhile at Compulinx, the CEO reportedly—and fraudulently—used employees’ personal information for credit purposes.
7. Green moves mainstream. In 2008, power and cooling management will gain major momentum. Companies will look for easy wins with green technology purchases, but will largely fail to master the larger challenge: usage patterns and user habits.
8. Security controls go over the wall. IT managers can't rest easy on home-field security efforts. Contractors, outsourcers, business partners, supply-chain nodes, and other business network members also have access to privileged sensitive customer and business data. Scores of information breaches have been tied to such privileged third parties over the past several years, but third-party security has generally remained peripheral to managerial focus. In the next year, managerial confidence in internal information security, coupled with ample documentation of policies and procedures, will allow managers to contractually enforce security controls across broader business relationships.
9. Solution vendors go deep and wide. Consolidation and solution expansion will both continue at clip in the GRC solution space, as vendors strive to position themselves as "end-to-end" solution providers. However, IT and compliance managers should be aware that even these more robust and comprehensive solutions will remain limited to fairly limited IT management areas, in terms of the total GRC picture. For example, identity and access management and messaging security management will see the most aggressive consolidation and development.
10. Mobile security gets equal mindshare. There's been no shortage of concern about mobile security, but it remains a sticky wicket due to the diversity of devices in use, inability to control end-user behaviors outside of the office, and lack of policy directives for mobile device use. On the whole, mobile security has remained a we'll-get-to-it-when-the-perimeter-is-secure priority; however, this attitude will shift in 2008. As handheld computers and increasingly powerful mobile applications drive more sophisticated computing outside the enterprise walls, companies will need to reprioritize mobile policies and controls as a primary concern.
11. Managers map the VoIP void. Fast adoption of VoIP represents a furious risk for companies and a pretty target for miscreants. At least one major security incident in 2008 will draw managerial attention to the risks of unsecured VoIP networks. Meanwhile, the potential for VoIP data to be included in e-discovery requests will propel new interest in telephony records management.