Three Big Trends in Information Security: Past, Present and Future

As a senior vice president in charge of industry analyst relations with CA Inc., Joanne Moretti is required to always have her finger on the pulse of information security. Moretti, who was recently named a “Woman of Influence” at the Executive Women’s Forum, has been working in IT and security for more than 20 years. Her career as a security practitioner began as an ACF2 programmer on mainframes. She joined CA as a technical consultant and eventually worked her way up to general manager of sales, first with CA Canada, and then for CA’s US West business. She assumed her current IAR role earlier this year. Moretti recently sat down with CSO Senior Editor Joan Goodchild to talk about what she’s seen CSOs and CIOs struggle with over the years. She also forecasts pain points that are coming down the line.

Where did CA see the most growth in IT security in the last decade?

It’s funny, because things often emerge as trends and then people jump on the bandwagon. Then they fizzle out and the real problem begins. So, it’s almost like software is often a bit ahead of its time.

I think the biggest trend I saw emerge in recent years was identity management and role-based management. That’s a good example of something that went through the cycle where there was a big spike in industry, then it tapered off, then compliance came around with Sarbanes-Oxley and it picked up again. And the big driver behind identity management is becoming more efficient.

I think there are three real big reasons why people focus on identity management and automated provision. The first is cost. Companies often have a security group managing an Oracle environment, and a separate group managing a Unix environment, as well as separate security groups for Mainframe and SAP environments. That literally happens, even today. There are all these pockets of good work going on, but it’s not connected and there are too many of them. CIOs and CSOs are faced with the dilemma of all these resources and people managing security. But a lot of resources not well utilized.

Another big reason for focusing on identity management is risk. And then, thirdly, is compliance. Compliance put the icing on cake, so to speak. When the regulations started coming out, when SOX became big thing, then it got to be a real pain. People couldn’t identify who was doing what on the system to their auditors. So there were audits findings and risk all over the place and compliance regulations that needed to be followed. So those are three key drivers: cost, risk, and now, compliance. That’s what drove identity management through its big spurt.

What has emerged as a hot area now? What are CSOs and CIOs investing in these days?

E-business is driving an enormous amount of activity on the security front for us. In the last two years, there has been a real uptake there. As an example, Sony Pictures is managing all of their content which is obviously their gold — with our web access control. They will identify which people can get at which content. And it makes their life simpler to help their customers self-provision themselves and self-serve if they need to do a password reset and get into the site much easier.

Another company we’ve helped with e-business is Bell Canada. They had eight disparate legacy systems for customers to access information about their satellite TV, or their land line phone service, or if you wanted to purchase a mobile phone. So there were multiple systems customers could get at. Bell Canada wanted to provide customers with one password, one user ID, to get onto their business systems. We helped them implement a web access control system that allowed them to do that. They dropped calls to the help desk by 2 million calls a year. Each of those calls cost about $15. So you can do the math to see what a cost savings that was by offering a simple, secure approach to access their web.

And where are we headed? What are you hearing murmurs about from your clients? governance, risk and compliance as well as managing and monitoring controls. It’s just like managing and monitoring disparate systems. You’ve got all these disparate silos of people that are trying to do auditing. And companies are looking for the single thread and where they can remove redundancy from both the system and the business. They are looking for one holistic approach to managing compliance and regulations.

Now what I’m seeing is activity around is

Were getting into this space slowly because GRC isn’t really defined fully yet. So instead of just splashing product in the market we are working with our partners. We have 12 early adopters and we are working the kinks out with them. We think this market is still evolving. But we don’t want to jump in too fast.

The other emerging market is around managing of records and managing information from a litigation standpoint. I would call it litigation risk. That is, records management, information governance, records retention and retrieval. Customers are wondering: How long do I need to keep something for? We are trying to help our customers with some best practices around that.

What, in your opinion, is the climate like out there right now for security professionals?

I think the people we deal with: CIOs, CISOs, and CSOs, are getting pounded. They are getting pounded with demand; they are getting pounded with tough, trying times in the economy; they are getting pounded with compliance. General business demand: strategic demand, tactical demand, operational demand, it’s all coming at them at once. We are trying to give them software tools that talk to one another. My thinking is: Why silo people? However we can help clients automate, and consolidate, makes life simpler for the CIO and the CISO.