10 Predictions for 2010: Kaminsky and Weatherford
Curious about what's going to happen to our critical IT infrastructure in 2010? Here, IT security luminaries Mark Weatherford, CISO for California State, and Dan Kaminsky, finder of last year's DNS flaw, offer five predictions each. (The first of 2 parts).
By Bill Brenner, Senior Editor
December 14, 2009 — CSO —
As 2009 draws to a close and a new decade dawns, CSOonline has reached out to some of the industry's best known security pros in search of insight on what the next 12 months and beyond have in store for our IT and cyber infrastructure. Each participant was asked to make five predictions.
We begin with Mark Weatherford, chief information security officer for the State of California, and Dan Kaminsky, network security specialist, director of pen testing at IOActive and discoverer of last year's massive DNS flaw.
Tomorrow we'll continue with predictions from Oracle CSO Mary Ann Davidson and Howard Schmidt, former eBay CISO and vice chairman of the President's Critical Infrastructure Protection Board.
Mark Weatherford, chief information security officer, State of California
1. So, You Think You've Got Talent?
2010 should be the year organizations begin to truly focus on recruiting, training, and retention of cyber security professionals. One of the critical and growing problems those of us running security organizations face is the shrinking pool of technical cyber-security talent. There is more and more evidence (anecdotal though it may be) that organizations with weak security skills simply cannot protect their systems and information from the current level of hacker and attacker skills. A recent report by Booz Allen Hamilton stated that "the pipeline of potential new talent is inadequate" and that "there are concerns that America is not developing enough IT experts, creating labor shortages in both the public and private sector." In the public sector where I work, the 'retirement-bubble' we've been hearing about for a couple of years now is becoming very real and we need to begin growing the next generation of cyber-security experts now. Despite the economic and funding challenges facing most organizations, those who choose ignore this issue do so at their own great peril.
2. Social Media -- It's not just a fad, but a fundamental shift in the way we communicate!
I think we all understand by now that the security issues around social media aren't so much technical in nature but are, well, Social. Because social media is all about the weakest link and hardest to control aspect of the security chain (people), phishing and the growing array of tactics cyber-criminals use to exploit, dupe and deceive will continue to expand. So, while the traditional hackers are still out there (see prediction 4), cyber criminals have figured out that it's easier to just let us hack ourselves. The result will be a vast increase in the number of incidents related to loss of Personally Identifiable Information (PII) and consequently, new and more regulations for both business and government to protect PII and other sensitive data.
critical infrastructure
- Smart Techniques for Application Security
- The Business Case for Data Protection
- Utility Mandate: Software Security for the Smart Grid
- CyberAttacks ... Are you protected or prepared to pay?
- Survival Guide: Overcoming the Obstacles to Effective Risk Management
- Risk-driven Compliance and Security Management
- Practical Approaches for Securing Web Applications
- The Escalating Risk of the Insecure Web
- Maximize Security Coverage, Minimize Costs
- How to Prioritize Risk & Justify Security Investments
- Five Steps to Secure Outsourced Application Development
- Protecting Your Applications from Backdoors: How Static Binary Analysis Helps Build High-Assurance
