Over at his blog, Alex Hutton posted his predictions for 2007 - it's a great list, and it's going to be hard to avoid duplicating effort here. But, since he tagged me and I do hate to be redundant, here are my predictions, going from least controversial to most controversial...
Top 10 Security Trends for 2007
1. Consolidation Continues Market-WideYup... I picked a no-brainer. I don't think there's any question that we're going to see consolidation continue, especially in some of the spaces that are more "under the radar". Source-code analysis tools, identity management, patch management and aggregate compliance reporting tools should all be targets in 07.
2. Security becomes formally known as "Security and Compliance"Or, more accurately, security might as well become known as "Security and Compliance". I predict that less than 5% of the vendors at RSA 2007 fail to have a "compliance story". And I predict that 100% of the issues of SC Magazine and Information Security Magazine contain a story on compliance.
3. Every Product Promises Metrics that Make Information Security More EffectiveYet another no brainer, but this one's another RSA-focused prediction: you won't be able to walk the show floor without being innundated by pie charts and metrics that promise to be board-level, CEO-level, and CISO-level reports that will make security budget easier to justify and convince everyone that you're not just a fear-monger.
Unfortunately, most of these will be pathetically bad. Unlike Alex, though, I think that one or two products will get it right. (I promise: when I find that product, I'll talk about it).
4. No Major Remote OS Exploits OccurYet another easy call - the number of remote OS exploits has been dropping steadily since 2003. So, this means another year without another Nimda, Code Red, or Blaster type worm. And, on the same note...
5. Application Vendors Follow Microsoft's ExampleWith recent high profile attacks in many layer-7 products, we're going to see more companies like Symantec, Oracle, and other major app vendors start to do something like Microsoft did a few years back, announcing a focus on creating secure software.
6. Social Networks get ExploitedAs social networks become even more widely used, I'm going to go out on a limb, and predict that there will be at least one significant vulnerability or breach in 2 of the following 4 social networking/new media services:
7. Handheld vulnerabilities proliferateEveryone has been saying this one for a few years, but the scene is ripening. In 2002, there were a pile of different mobile OSes, and there wasn't a monoculture that allowed for significant propagation. Now, we're down to basically two winners in the mobile device space: Windows Mobile and Blackberry. (As much as it pains me, as a lifelong PalmOS user to say that). And, as researchers find less and less fruit in the OS and application spaces, there's going to be more time spent exploiting mobile devices through Wifi and Bluetooth.
8. The CISO continues to disappear as an executive functionWhile many people think of the CISO as a function of senior management (VP or EVP level), the trend towards the CISO as a Director-level or Senior Directorl-level position will continue. The function will be seen more and more as an arm of the compliance effort rather than the leader of the compliance effort (which will be driven by business-focused executives from legal, audit and specifically-designed compliance departments).
9. The CISO continues to evolve into an executive functionCall it hedging my bets, but at the same time that we see the CISO role focused at a Director level, those in the CISO role will follow the lead of Scott Blake and Mike Rothman in evolving a business-focused, risk-driven security program that emphasizes corporate performance over throwing technology at problems.
And hopefully, we'll see 2007 be the year that the trend in #8 reverses.
10. Someone will finally have the final word on responsible disclosureI admit it, that one's far more of a hope than it is a realistic possibility, but I had to put my intention out there nonetheless.
Okay, okay... a real one:
10. Phishing Starts to Die as a More Interesting Social Engineering Tactic Comes AlongWhile phishing is all the rage in 2006, we're going to see the beginning of a new evolution of tactic from the social engineers out there. I can't even concieve of what that could be, but, as I said, this one's the most unlikely. I think we're going to see phishing gradually become less effective, to be replaced by something more effective.
And now, Blog Tag...I have to five security blogs out there that weren't on the list that Alex already put together, so I'll pick the five that I don't expect the security regulars to tag. You each have to put up a post that details your 10 security predictions for 2007...
Andrew Storms, Tim Erlin, Ryan Poppa and Tyler Reguly over at nCircle (I know, I'm cheating, but each have something interesting to say, and it's only one blog.)