The amount of information coming out of US Government bodies on cybercrime, Information Security and the real and immediate danger faced by all businesses has grown remarkably in the last 12-24 months. Just one recent example; ‘We’re all at risk’ of attack, cyber chief says. (In Australia, Government action, as Borat would say, “Not so much!”). Online and paper copy IT Magazines and journals have dedicated IT Security sections now. We even read more about the issues in the standard press. More and more universities now offer IT Security courses. (Though quality of many is questionable but it’s a start).

But has anything really changed that much in reality in 2007 where it matters – ie; in the minds and actions of business and individuals?

Here’s just my take on 2007, from what we’ve seen and been involved in – in no particular order:

- Most organisations are still insecure. Across the board, little would have changed if statistics were available. (Annual surveys add little to our knowledge). Most organisations have progressed little if anything from a risk minimisation perspective. IT Security heads still struggle to get buy-in for their initiatives and plans for better security. Very few organisations can profess to having C-Level management direct involvement and support.
- Very few organisations have a workable and enterprise-wide IT Security and Risk Management strategy and framework. “The 7 Reasons why Businesses are Insecure” remains as a valid statement. Every one of the 7 “reasons” can also be considered as not having moved forward much in 2007.
- The focus on Internet network and in particular web application security has grown. More organisations seem to be thinking about what they put out there. While awareness has grown, and more organisations are doing things, they’re still in the minority. In addition, one test does not make for a life time of security. Few organisations who do engage this testing, do it on a regular basis (ie; at least yearly or when significant changes are made to systems and applications).
- Proactive Vulnerability Assessment and Management still hasn’t caught on as a must do. Patching and a reliance on anti-badware technologies is still seen as the main defence against the bad guys and bad internal system deployment practices (ie; hoping a technology will protect the organisation against not giving a real stuff about how something is deployed in the first place).
- Organisations continue to waste millions of dollars on silver-bullet technologies – sucked into the marketing spin of companies who have professed to being able to solve the security problem for years. See last comment. Organisations aren’t buying technologies like vulnerability assessment tools to help them know where they have problems – they’re buying technologies that they hope will take the responsibility away from them and magically fix everything.
- Outsourcing accountability seems to grow. I lost track of the number of times this year I spoke with a company that had outsourced or was about to outsource “protection”. eg; firewalls, IDS/IPS. NONE could really explain the substance of what it was they were getting once you scratched the surface a bit.
- Australian Government initiatives amounted to little in the way of tangible benefit to the community. The new Labor Government marketing was even scarier. Kevin Rudd has started off really well though in other areas, so who knows?…this could be a surprise in 2008.
- PCI DSS awareness grew but very few organisations actually came close to compliance in 2007. In all of our dealings, only a couple of organisations stood out. The rest had a long way to go. (ie; read: insecure).
- The importance of the role of the CISO and IT Security Manager moved up slightly in terms of importance but very little. Many organisations created these new roles but few really knew why and what these industry people should be doing for them. Just seemed like a good idea because others seem to be doing it as reported in the press.
- The passion of people in the industry remained awesome. (CISOs, IT Security Managers, Researchers, Consultants, Commentators).

Gees, I sound like a cynic apart from the last point. NB; Many organisations did make great movement forward in 2007. I’ve never seen the banking and finance sector busier in this area so that is a good thing. I always suspected that the regulators would need to drive significant change here but it seems that it’s the other way around. What regulators?

The previous points were from a high-level overall industry view. Okay, lets be fair, while action on the ground where it matters did not move that much, awareness is growing and momentum for change seems to be there. 2007 was an improvement on 2006 – just…..and I do see 2008 as a year of further growth of awareness and action.

I welcome your thoughts.