Reporter's Notebook: Security

Computerworld - Regulations: The Big Stick

Compliance will dominate the security agenda for 2006. The growing number of regulations -- and the consequences of not complying with them -- have elevated security into the boardroom. CIOs will use compliance to justify most of their information security spending this year -- even for technologies IT would have implemented anyway.

Goodbye Worms. Hello Trojans, Rootkits and Targeted Attacks.
Enterprises will keep getting better at dealing with e-mail-borne worms and viruses, and unless hackers come up with a fiendishly new way of delivering them, 2006 could well see the end of the mass-mailing worm phenomenon. But Trojan horses, rootkits, spyware programs, phishing and targeted attacks will continue to pose big challenges.

Patch and Pray No Nore
Hackers often take advantage of new software flaws faster than companies can apply patches. This year, the goal will be to prioritize patching based on asset value and specific threats rather than the more generalized patching processes currently in place. But the asset and data classification needed to enable such a patching process will be a major challenge.

Securing the Data
Most security efforts have traditionally focused on securing the perimeter and the network using tools such as firewalls, antivirus software and intrusion-detection systems. This year, expect to see more attention devoted to securing the data residing in storage networks, databases, servers and desktops. Why? Because hackers and insiders have started going after the data and because traditional network perimeters have begun fading away as companies tie their networks with those of partners, suppliers and customers.

Locking Down the Network Endpoints
One of the biggest threats to corporate security comes from insecure network endpoint devices such as desktops, notebooks and other client systems belonging to remote and mobile workers, contractors, partners and consultants. As a result, expect to see a lot -- and I really mean a lot -- of focus on tools that can permit, restrict or deny admission to corporate networks based on the security status of the end users' systems.

The 800-pound gorillas move in Microsoft Corp. and Cisco Systems Inc. will expand their influence in the security market. But pure-play security vendors that offer more innovative, and enterprise-tested, products will continue to appeal to corporate customers.

CISOs get some R.E.S.P.E.C.T.
Information security may have become a boardroom issue, but most security executives remain anonymous Joe Somebodies when it comes to recognition at the C levels of their companies. I've lost count of the chief information security officers who have lamented their remarkable lack of visibility within their organizations -- including one CISO who was never consulted by his CIO or CEO even after his firm suffered massive negative publicity following a major data compromise. But growing awareness of the potential reputational damage, financial losses and legal problems that a data breach can cause could improve the CISO's status in 2006.

See more '06 predictions in Security: Fast and Furious.

What else is on tap this year in IT? See the complete Forecast 2006 special report.