Compliance with Sarbox, GLBA, HIPAA and a number of other regulations has become a key driver behind information security decision making. This does not necessarily change how security professional do their job, but it will provide for higher profile recognition of security challenges, which in turn, will be key for the next set of initiatives we face in locking down the enterprise and preventing data loss. As we consider emerging security issues there are a few of points to keep in mind.
First, the need for defense in depth strategies has not changed. If anything, it is more pronounced. We still need anti-malware, intrusion prevention, and content filtering, but we need to add to that arsenal of tools.
Second, perimeter and host defenses are a fraction of the defenses we need. Data needs to be protected where it is stored and whenever it is transmitted. Database security and encryption should be high on priority lists if they aren’t already. Jaikumar Vijayan’s article in ComputerWorld, “Defending the Data will be a Focus” argues for more recognition of this problem and offers some in-the-trenches examples.
Finally, security professionals should not fall into a common IT trap: building silos. Consider how many applications and databases have been developed without adequate consideration of other systems within an organization. Too often, we find the need for a time consuming and costly integration project because the world is not as cleanly divided s as we once thought. Security, even more than other areas of IT, requires integration and coordination. We need to think in terms of comprehensive risk management and not just silos of threats and countermeasures.