Opinion: Goodbye to the Year of the Fire Pig

As we move into a year that looks ratty in several senses, here's how to manage

Don't let the champagne and funny hats go to your head: The new year doesn't come at the same time for everyone, and the fiscal new year rarely coincides with the Gregorian one. As security and IT managers prepare budgets in these waning days of the year of the Fire Pig (and onward to the upcoming year of the Earth Rat), or review the halfway mark for ones that coincide with the federal budget, I'll venture that we're looking at a year of fast-paced improvements in security technology.

It's also going to be a year of gulping black coffee, keeping our heads down and holding big policy projects back in the wings, as organizations seek to slash operational costs and take a stronger interest in tactical activities with immediate return. Considering immediate external, internal and long-term trends, it's not going to be a year of elegant security and privacy projects, or management interest in long-term planning.

Consume

There's bad news about breaches of personal data (is there ever good news?), from finance to healthcare data, especially as people increasingly conduct personal communications and business online. Surveys by several organizations show the number of people affected by breaches of personal data -- including credit card data, social security numbers or similar bits of data useful for impersonation or fraud -- has doubled or tripled since 2006.

Combine this with the sharp rise in personal bankruptcies in the US, and one would think that the public would be concerned about the overall wisdom of easy access to purchasing power or spur-of-the-moment personal money management. Instead, the public's minimal attention is focused on the symptoms and not the causes. For example, there's ample concern from business partners and card issuers about whether TJX has fixed the problems that led to spewing at least 45 million -- and possibly as much as 95 million people's personal data -- into the hands of interlopers.

However, there's not enough consumer concern about ongoing problems to impact sales figures significantly, nor enough investor concern about the lack of control and governance that led to the largest breach in history to put a serious dent in the stock price. By security and privacy measures, TJX is a company that ought to be euthanized by the market and left in the dust of 2007 as an example to others. By all accounts it's moving into 2008 with sales volume and profits alive and well.

Instead, consumer demand continues to focus on personal cost-saving technology, from shopping to long-term investment, and Internet-based services figure into that closely. Price comparison is easiest using aggregation sites, and consumers seem to judge the security of purchases based on the reputation of the seller (eBay rating or BizRate stars, for example), rather than information about breaches or privacy policies that indicate the long-term safety of doing business with a merchant. After all, who checks through the yearly record of organizations that have suffered a data loss before clicking on the "checkout" button?

Keep pace

Closer to home, organizations are adjusting to a new economic reality. With the dollar floundering in 2007 and showing no signs of recovery anytime soon, pressure is increasing for organizations to run with smaller margins and lower overhead. While there's more pressure than ever to keep pace with industry competitors or best practices for comparable organizations -- sometimes for competitive reasons, sometimes to actually reduce loss or risk -- few will take on major security policy or data protection governance projects in the near term.

There's just no room in the budgets for operational elegance. To be sure, the trends for incremental improvement in technical and process security controls will continue as they have over the past few years, but policy initiatives are likely to fall by the wayside as manufacturing, health, and technology organizations focus on the bottom line. It's possible that we'll see at least some service and finance entities use security compliance as a marketing tool, but they're more likely to show restraint when it comes to major initiatives.

Get right

Regulatory requirements or other governmental demands bring additional pressure on many organizations. Recent years brought us waves of fear and interest in required and addressable controls specified by the HIPAA Security Rule, technical and process controls inspired by the Sarbanes-Oxley Act, and increased seriousness about Payment Card Industry rules for handling credit card data. Other long-term changes have come into force in 2006 and 2007, such as the tail end of the Fair and Accurate Credit Transactions Act (FACTA) amendment to the Fair Credit Reporting Act (FCRA) that mandates proper disposal of information in consumer reports and financial records.

Many of these prompted fundamental changes for the better in how security and privacy programs were run in major organizations. No longer is it acceptable to slap a few technical security measures in place and call it a security program. No, one has to show that there has been some measure of risk assessment, that there is a plan for controls that actually match the risks, Further, one has to show that the program is actually being implemented, and that someone is actually responsible for getting it done. The days of hand-waving and unaccountable security committees were over -- or so we thought.

Think again. Regulatory security and privacy focus has again shifted away from strategic and fundamental change, towards changes that are tactical and visible. For example, instead of clarification to the detailed accountability policy requirements in Sarbanes-Oxley, more federal effort has been thrown behind the creation of a national ID card standard through the federal "Real ID" Act. While this facilitates identification processes for new employees and easier background checks, it's a control in search of its policy -- i.e. a solution in search of a problem.

On the other hand, with strategic changes and policy requirements coming at a slower pace, now is a good time to get right with regulatory requirements at least in terms of security programs and overall governance. With the US presidential election looming, it's unlikely to see a major federal push for administrative reform. Instead, there will surely be more tactical and stopgap regulatory reforms for data protection and (unfortunately) mandates for technology to enforce dubious legislative moralizing. For example, the Children's Internet Protection Act (CIPA) places impracticable filtering requirements on libraries and schools among others. As the American Library Association noted in its challenge to CIPA, no contextual filtering technology exists which would allow an organization to substantively comply with the law.

Trial by fire-pig

Nevertheless, the "won't someone think of the children" nonsense continues to create problems for people responsible for technical security and privacy controls. The amusingly-named DOPA ("Deleting Online Predators Act") legislation may figure prominently in the upcoming election debates, despite the lack of logic in either its conflation of technology and crime, or its separation of social networking tools and other modes of constitutionally-protected congregation and expression.

Australia is already having a go at it, with the dreamy expectation that its latest laws mandating large-scale "clean" Internet feeds will invoke the necessary technology from the industry ether. Expect another furious series of fear-mongering debates by uninformed leaders about mandating the use of imaginary technology. Given the trends, we're more likely to see something along the lines of the Protect Absent and Mediocre Parents Escaping Responsibility Act of 2008 ("PAMPER"), than any serious legislation promoting privacy rights, or requiring proper governance and protection of personal data.

While it won't affect most commercial entities, any organization involved in providing communications or services to students, children, or any media provider with a minor audience should make sure not to stick out of the crowd until some sort of reality check occurs. In all likelihood, that check will occur when some unfortunate organization trips over itself or invokes the ire of a legislative sponsor, and the regulatory mess is sorted out in front of a jury (or, we can hope, a well-informed judge).

Until then, with staff returning from holiday vacations and slack project schedules tightening up, it's best to focus on finishing major initiatives started over the past year or two, then look at the budget with an eye towards technical security and privacy control improvement. Get ready to defend security budgets with immediate returns, reduction in short-term liability, and other fast and visible results. Unless there were already problems with compliance with HIPAA, PCI or outstanding issues with SOX, focus on standards and implementation. While it's no less relevant and necessary than ever, there won't be much recognition for shiny and elegant policy work this year.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a refugee aid organization and continues to have his advice ignored by CEOs, auditors and sysadmins alike.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon