As we enter 2013, it’s time for a few predictions. Here are my eight contributions to the New Year’s security forecast:
Prediction 1. An organization will declare bankruptcy after a cyber attack.
While some organizations are shoring up against cybercrime, many are not taking even basic or intermediate steps to remove vulnerabilities. As the level of attempts increase, the odds of a catastrophic event resulting in an organization failing also increases. The U.S. Cyber Consequences Unit (US-CCU) an independent, non-profit (501c3) research institute has found that a cyber attack that could hijack systems at a corporate level could “have the potential to create liabilities and losses large enough to bankrupt most companies.”
Prediction 2. “Enterprise Security” will replace corporate/physical and IT.
Tucking pieces of security into organizational silos leaves vulnerabilities and information gaps against threats. The move to a single, global CSO office will continue, and it will comprise all risk management and resilience-related strategies and operations. A major driver will be the threat of cyber-attacks against the weakest link in the chain. Only an enterprise risk strategy that includes all threats and vulnerabilities will be effective, and organizations are reorganizing accordingly.
Prediction 3. CSOs managing cyber security will jump from 21 percent to more than 50 percent in 2013.
As enterprise security arrives on organizational charts due to cybersecurity concerns, convergence between the physical and logical worlds will be realized. The risks and losses will finally outweigh internal politics forcing change. While IT is not designed to be risk-centric regarding security issues, security is not staffed to manage dynamic technology requirements. The current market of having four out of five organizations not addressing cyber security at the enterprise level will not stand.
Prediction 4. Cyber legislation enacting minimum standards for critical infrastructure will (finally) be passed.
Government agencies from DHS to DoD are already posturing for their share of an anticipated cyber security spending windfall. Defense Secretary Leon Panetta warned about U.S. vulnerability to a cyber-Pearl Harbor. The challenge will be information-sharing among government agencies and private organizations in the critical infrastructure sectors without violating civil liberties.
Prediction 5. At least one Security 500 CSO will be promoted to an executive role outside security.
The level of business acumen and leadership has soared among top leaders currently managing security for their organizations. Their contribution to the overall success of the organization is understood, measured and rewarded at the board level. The time and opportunity to leverage that skill at the COO or an international business unit head position has arrived. Similar to the IT world where John Reed, the visionary CIO at Citibank who championed ATMs, became their CEO in 1984, I expect to see ‘the business leaders who are currently managing security for their organizations’ be moved to broader executive roles.
Prediction 6. Security Information Management will grow dramatically.
Nothing beats knowing. As organizations move toward risk management and away from event response as their strategy, the demand for real-time situational awareness information from their security technology systems will increase. GSOCs and Central Stations will invest in more situational awareness and business optimization software tools. Midsize organizations that are unable to create their own GSOC may leverage this information from their Central Stations as an on demand or shared service.
Frost & Sullivan research analyst Krzysztof Rutkowski notes, “Since understanding the benefits of any security solution is necessary to implement it, the rising awareness on PSIM will transform this million-dollar market into a billion-dollar one by the end of the decade.”
Prediction 7. Consolidation reigns in the surveillance camera market.
It has taken a decade or more, but enterprises have set strategic procurement goals for security technology, meaning fewer brands being purchased. That reduces the number of service and warranty agreements, operator training and TCO. Likewise, the distribution channel’s continued mergers and acquisitions are thinning their product line cards. This helps reduce training and service requirements and streamlines inventory cost. Expect to see bigger winners and some big losers in this space.
Prediction 8. The focus on risk management and resilience will increase.
Sandy has taught businesses, institutions and government that their resilience plans are not nearly resilient enough. As this is written, parts of NY and NJ are entering their third week without power after Hurricane Sandy. Enterprise security will be taking a hard look at what went right or wrong and retool their policies, procedures and training. David Shepherd, CEO of the Readiness Resource Group, an enterprise resilience consultancy, contends that while testing and training are critical, the outcome is not known until the people, policy and technologies are tested in a live event.
As we close 2012, allow me to thank all the people on the Securitymagazine team that have made this another record year for us. I wish everyone a very happy and secure holiday season.
Please Mark Your Calendar
The Security 500 Conference, postponed on November 1, 2012 due to Hurricane Sandy, has been rescheduled for February 12th at the Roosevelt Hotel in NYC. Visit www.security500event.com for more information.
This article was previously published in the print magazine as "For Your Consideration: A Few Predictions."