The year is slowly winding up and I got to thinking if much changed in 2008. PCI DSS compliance continued to raise awareness of good practice more than anything else out there, but aside from that, did many organisations, our industry and the IT Industry as a whole make much headway into the IT security problems we face? Looking at my December 2007 post, I could almost just repeat everything word for word and just change the dates.
What happened to SAFECode and ICASI? No surprises there as we predicted.
Did the major vendors start pumping out better and more secure software? Did the number of “software” problems affecting everyday life and our society drop or rise? (Do we even measure the latter?). We know the answers.
Is anyone listening to prominent Industry thinkers and promoters like David Rice? How many others of us are getting the word out to anyone outside of our industry better now than we did in 2007?
With the global economic problems looking like they are only going to get worse, the optimists within our industry feel this will be a catalyst for organisations to think more about security. The cynic in me says it’ll probably be the opposite – Organisations are going to be looking at the bottom line and how much money they can save themselves from losing, and how much they can possibly make. IT security ain’t going to be at the forefront of their thinking. (If not for PCI DSS, how many in our industry might not survive through 2009?)
So as we continue seeing; upwards of 90%+ of websites (and other applications) we test for the first time having critical vulnerabilities, the large majority of software developers struggling with even basic concepts for secure and “safe” coding, organisations still struggling with IT Security and Risk Management basics, can we make any predictions of great change for 2009?
Metrics. Metrics. Metrics.
Awareness. Awareness. Awareness.(fleeting)
From a prominent person in relation to the forthcoming commentary below: “The CSIS Commission of which you spoke goes public in a fortnight with its action document — stay tuned.”
Post -> referenced:
“On Sept. 16, James A. Lewis testified, among others, before the House Subcommittee on Emerging Threats, Cyber Security and Science & Technology.
Lewis is Senior Fellow and Director, Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), and director of
the Commission on Cyber Security for the 44th Presidency.
(http://www.csis.org/tech/cyber/ ). Membership of the Commission is posted here: http://www.csis.org/component/option,com_csis_progj/task,view/id,1117/
, and it includes Dan Geer from our community.
The written statement by Lewis can be found here:
http://www.csis.org/media/csis/congress/ts080916_lewis.pdf . Streaming video from the hearing can be found here: http://homeland.house.gov/hearings/index.asp?ID=166 ”
DD, sometimes there are nuggets on SecurityMetrics DL however more informational rather than anything groundbreaking yet!
More info: http://homeland.house.gov/Hearings/index.asp?subcommittee=12
“Real and measurable progress”, eh ??
I wonder if its’ antithesis is – unreal and immeasurable regression ?
Love ya work,
Rex.
No.
I made progress. I weigh at least a few cartons more than I did this time last year.
[...] post on “progress” (or rather lack of) in 2008. We can talk until the cows come [...]