The Next Chapter

Uncle Sam Will Audit You

The U.S. government will create a cyber equivalent of the Transportation Security Administration (TSA). Just as the TSA is charged with elevating the current level of transportation security nationwide in all modes - air, land, water and rail - so, too, will the Digital Security Administration be charged with elevating the current level of digital security being practiced by commercial enterprises in the U.S.

The Digital Security Administration will conduct information security audits on the code of the top 20 enterprise software vendors. Code not found to be up to specifications will be labeled unsafe. Vendors with unsafe code will have six months to bring the code up to security standards.

The Digital Security Administration will also conduct information security audits at all companies in the critical infrastructure:

• Financial and currency markets.
• Domestic and global lines of communication.
• Mass points of e-sale and retail.
• Utilities.
• Health care facilities.

Failure to bring code, data and network management practices up to specification will result in jail sentences for board members and senior executives.

-- Thornton A. May, Toffler Associates Inc., Manchester, Mass.

National IT Security Council?

By 2010, IT security will become the primary focus of U.S. national security policy.

-- Atul Dighe, senior futurist, Institute for Alternative Futures, Alexandria, Va.

90% of the Problem

Through 2005, 90% of cyberattacks will exploit known security flaws for which a patch is available or a solution known.

And through 2005, 20% of enterprises will experience a serious Internet security incident (beyond a virus). Of those that do, the cleanup costs of the incidents will exceed the prevention costs by 50%.

-- Richard Mogull, analyst, GartnerG2, Stamford, Conn.

On the CEO Agenda

IT security will become a boardroom issue in the next two years. CEOs will have to manage the risks, just as they manage other sorts of risks. They'll depend on chief security officers to provide the metrics on a portfolio of assets and the risks that have a bottom-line impact - just like a chief financial officer does, except that IT risks are constantly changing.

-- Mark Milatovich, director of security, Corio Inc., San Carlos, Calif.

Not An In-house Job

Security will be outsourced, as more and more companies realize it's too expensive to do in-house. Just as companies outsourced their software 20 years ago or their modem banks five years ago, they will outsource their network infrastructures tomorrow. In the real world, every bank hires another company to drive its money around town, and every building manager hires another firm to post guards in its lobby. Outsourced network security will become as commonplace as outsourced phone services are today.

-- Bruce Schneier, founder and chief technology officer, Counterpane Internet Security Inc., Cupertino, Calif.

The Biometric Niche

Stronger authentication will supplement simple password approaches in the next few years, but infrastructure limitations will impede smart card adoption until 2003, and biometrics will remain niche through 2005.

-- Earl Perkins, analyst, Meta Group Inc., Stamford, Conn.

Smart Cards: Slow Growth

Significant smart card growth still faces several hurdles. Issuers are hesitant to commit to smart cards until the cost of the chip card comes down. Merchants won't spend the money to upgrade equipment to accept cards because they don't see consumer demand. And consumers don't yet see why they need a chip card - no one has come up with the right combination of chip-based applications to intrigue them enough to switch.

-- Catherine Graeber, analyst, Forrester Research Inc., Cambridge, Mass.

Malpractice Litigation

What do you tell the CEO when a forensic audit of your public relations disaster says it could have been prevented by a vendor fix that had been available for eight months but was never applied?

Ineffective application of hardware and software security fixes is career-threatening. Chief security officers who fail to get their arms around configuration and change management will exceed the CIO turnover rate of 38% by 2003.

This is what breeds those "left to seek other opportunities" memos and will produce a lot of security malpractice litigation in the next two to five years.

-- Phil Rosch, analyst, Giga Information Group Inc., Cambridge, Mass.

The Security Action Plan

Stories in this report:

• The Security Action Plan
  
• The Story So Far: IT Security and Disaster Recovery
  
• Maximum Security Returns
  
• Manage Those Patches!
  
• Build a Computer Incident Response Team
  
• Let the Pros Investigate Computer Crimes
  
• Watch Out for Wireless Rogues
  
• For Disaster Recovery, Put Your IT Eggs in Different Baskets
  
• Denying Network Service
  
• Think Like a Terrorist
  
• Field Report: Out from the Shadows
  
• How to Thrive in the IT Security Market
  
• The Next Chapter: Predictions about IT security
  
• IBM's view of the hot trends in IT security
  
• Case studies in IT security and disaster recovery
  
• Intrusion-detection systems are evolving
  
• Reporter's Notebook: IT Security
  
• Top 10 Vulnerabilities in Today's Wi-Fi Networks