Meeting of the Minds

1 2 Page 2
Page 2 of 2

Jaquith: I think the next step is the mandatory gathering of -- you know, if I were putting on my legislation hat and looking to improve some of the existing data-breach laws -- I'd want to make sure some clear thresholds kicked in on when you have to report and when you don't, and that when you report you put them into a consolidated area such as with the attorney general. I know this has happened with certain statutes but it's not the case in all 45 or so the breach laws. That would be the first step.

Shostack: It's absolutely fascinating how DataLoss DB is just a private nonprofit initiative that has generated so much value for the industry. I'd love to see either government funding coming in to pay them to do it more, better, faster, more completely, or give them a nice pat on the back and set up a government-sector competitor that would capture the data and add to it in various ways.

Predictions: What Happens over the Next Five YearsShostack: You took some hard swipes at Howard's predictions. So what do you think is going to happen? What's your forward-looking perspective on the next five years of cybersecurity? What should people be worrying about?

Jaquith: I got my enterprise hat on for the most part so I'll keep my comments there. In the corporate world, from a security standpoint, the IT security budgets are pretty much flat. There hasn't been much movement in the last years and we don't think anything especially noteworthy is going to happen on the budget front in 2010-11.

Shostack: Wait a minute: So with rising cybercrime, an increase in breaches and malware, you don't see budgets going up at all?

Jaquith: Well, it's possible, but overall IT budgets in general aren't going up too much and security is pretty much the same. We've gone through this period where security budgets had gone up 20 percent year over year until about three years ago when it started to level off. At a certain point, information security officers have got to be asked by their bosses, "What are we getting for all the money we've spent?" I think budget pressures are going to be there, but I also agree the threat landscape will increase.

So what does this mean? It means, frankly, that we've got a nice, consolidated vendor marketplace right now, and we're going to see a lot more price competition. Looking at things like DLP [data loss prevention] and encryption, we're going to see a flat budget. But customers are going to get better deals. You've got a lot of dynamics in the marketplace. For example, the lower-end device-control vendors will want to add DLP to the more simple-minded USB-blocking software and the like, and you've got incumbent vendors with DLP for enterprise looking to go down-market, moving this stuff through the channel. These things will get a lot cheaper, and that's key. The next prediction is that it'll still be good to be in the encryption business because the common denominators you see in all these disclosure laws is that there's an explicit carve-out for all the encrypted devices for those carrying personal information. We can argue over whether this is the right thing to do or not, but the point is that because this safe harbor exists, you're going to see this software continue to make a lot of headway because customers are going to do what they can to comply, and if the easiest way to comply is to encrypt hardware or something like an iPhone 3GS, this is the easiest way to comply with the letter of the law, if not always the spirit of the law.

So how about yourself?

Shostack: Let's start with the pessimistic view, and I'll harkens back to the Howard Schmidt story: My pessimistic view is that we'll have the same security issues and plans we had five years ago and we're not going to make a lot of progress. My more optimistic view is that there's really a rise in security as an aspect of other disciplines: The security in human behavior workshops, the security and usability and privacy conferences. As we start to see those things, we'll also see some surprising and amazing things in terms of what we need to do. My realistic view is that these trends are starting to pick up and get noticed. So over the next few years it becomes easier not to get more budget but to target your budget more efficiently. So in the future it becomes easier to push back on your auditors when they tell you it's a best practice to force a log-out on this site after 10 minutes. Well, why 10 minutes? It becomes easier to have a more data-driven conversation with your marketing departments: "No, we can't put a list of names and SSNs out on an FTP site and hope nobody is going to notice." While we're looking at a lot of scary stuff as practitioners, the meta level is actually getting much clearer and much better. As that stuff clarifies, it will make it easier to operate at a very practical level.

Jaquith: I hope you're right about that, particularly around things like usability and this idea of finding the right balance between what is good security and what's usable.

Read more about application security in CSOonline's Application Security section.

This story, "Meeting of the Minds" was originally published by CSO.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon