Ten Ascendant Trends for the Next Chapter of Information Security, written by site editor Jim Reavis, is now available at www.riskbloggers.com.

    As corporate information security matures, it is also expected that we will see a closer relationship with business continuity and disaster recovery, under an Enterprise Risk Management umbrella. Among key trends highlighted are metrics based on derivatives, federal rules of civil procedure, whitelisting and XACML. Overall, the trends show a need for information security controls to become more pragmatic in the face of rapid globalization of our enterprises, deperimeterization, regulatory overload and the reality of static information security budgets.

    The ones who own corporate information security programs have spent the last few years playing a game of regulatory catch up, while for the most part spinning their wheels when it comes to implementing new and actually useful concepts to mitigate evolving threats and justifying their existence.  

    Meanwhile, exploiting information security vulnerabilities for financial gain has never been easier and is now big business, with sophisticated utilitie, stable malware pricing and even some slick marketing and mature distribution channels.  The gap between good and evil is as wide as I can recall in my years in the business, and if it turns out that the recent Estonia bashing business was actually coordinated in part by the Russian government, well, it ain’t getting prettier. Yet, with all the bad news, you do hear about a lot of good ideas being bandied about to make changes in the way we protect information assets.  Ok, I am also hearing a few bad ideas as well, but at this point I think change for change’s sake isn’t necessarily the worst thing to do.

    Whitelisting – Remember Internet2, the next generation of the Internet that was going to be free of all of the vile limitations of the version Al Gore invented?  Well, turns out the universities and other elites are still working on it, and when it finally hits prime time, you will be able to have 64 simultaneous YouTube videos streaming to your PC.  Whatever becomes of the Internet, it will always have all of the good, bad and ugly that comprises humanity.  However, corporations today have reached that breaking point where they are beginning to put significant time into whitelisting – configuring their business to only work with the parts of the Net they already trust and in essence cut down the Internet into the servers, applications, processes and protocols they know and will tolerate.  This is not easy, maybe it will ultimately fail, but we are going to give it a try and expect to see more whitelisting built into security policies and the products that support them.   Several security companies in stealth or startup mode have whitelisting as a core feature.