The future of IT security seems like a straightforward discussion ­ – focused, straight and to the point.

Nothing, however, could be further from the truth. Businesses need to understand the risks and implement mitigating strategies if they want to keep ahead of the bad guys.

There are three types of organisation: those who get security and have ongoing risk management activities in place; those that understand security but struggle to implement appropriate measures; and those who think that e-crime will pass them by if they just keep their heads down.

For most, the future of IT security will be much like the present. There will always be people who spend most of their waking hours decoding encryption algorithms and looking for back doors into telephone networks.

But there is also an evolving economy built around the market value of credit card details and the ability to launch denial of service attacks from unsuspecting ­ – and generally poorly configured ­– home computers.

And IT leaders also need to consider risks caused by their own employees, be they through malice or stupidity. Internal workers have always posed the biggest threat to computer systems ­ – even before product categories, such as data leakage prevention, were posited.

So, what does the future of IT security include? As a starting point, it is worth reflecting on the wider long-term development of technology. There are a number of trends driving how organisations deploy and operate their IT systems ­ – and these threats will have a direct impact on a broad range of areas.

Outsourcing and offshoring

The offshore resourcing market continues to develop, with Indian companies such as Wipro setting up in the UK and other local companies expanding their offshore operations.

Security risks range from the difficulties associated with vetting offshore staff, to the challenge of maintaining business information at offshore locat ions.

Hosting and software as a service (SaaS)

We are not yet seeing wholesale mass adoption of the SaaS model, mainly because the technology is still maturing across areas such as data integration. The risks are similar to the information integrity concerns associated with outsourcing.

Service-oriented architectures and Web 2.0

Both of these topic areas share the risks of using distributed system architectures that may extend beyond the corporate firewall. As well as being open to confidentiality breaches and denial of service attacks, there are also threats surrounding the publishing of interfaces onto corporate systems. In some instances, the interface itself may be confined to company use.

Virtualisation and datacentre automation

Virtualisation offers a quick win for many organisations, helping IT leaders to consolidate applications onto a reduced set of physical servers. The centralised control of preconfigured virtual servers can reduce security risks. But there is also the issue of virtual server proliferation and the potential for mismanagement, which could potentially leave virtual servers open to breach.

Mobility and unified communications (UC)

Suppliers are working hard to deliver on the concept of enabling users to communicate with each other as simply and seamlessly as possible. But UC also presents a two-edged sword, and IT managers need to be prepared for exploitation problems, particularly around spam calls.

Social networking

We are already seeing some of the security challenges that social networking can pose in terms of privacy and identity issues, for example. There are other risks that, to our knowledge, no one has exploited, such as pulling together composite identities of individuals across social networking sites.

Social networking presents a range of personal security issues, but corporate implications across duty of care also create concerns.

The above list of potential risks demonstrates that continued vigilance is only part of the answer. Risk management processes and policies are also crucial, and should be a fundamental part of any organisation’s security strategy.

Moreover, all of the above risks share one important element: they affect all parts of the IT architecture. Such risks cannot be mitigated by tactically acquiring a specialist appliance and implementing it in the server room.

If IT security is to be characterised by having a far-reaching impact, so we need to consider how the roles responsible for IT security have a similarly far-reaching remit.

We are already seeing some organisations ­ – HSBC, for example ­ – combining their IT security function with a business fraud function, enabling the institution to deal with business and IT issues from the same point.

I have often characterised IT as a fire extinguisher industry, an analogy that makes sense if all people are doing is fighting fires. Challenges, such as the security issues listed above, will require us to move towards a prevention-based approach rather than a series of poorly-funded coping strategies.

And frankly, given that the trends are happening whether organisations want them to or not, the sooner we can get there the better.

Jon Collins is service director at analyst Freeform Dynamics.

Watching the evening news, we are constantly reminded of how dangerous the world is. Stories about terrorism in particular dominate the headlines at the moment, but anything to do with political controversy or instability, significant changes in the financial markets, corporate scandals, cyber crime, natural disaster, public health emergencies, and so on, also tend to get prime-time coverage. 

Against this background, we might assume that the average organisation is sitting there constantly worrying about the risks that arise from all of these potential threats to their business. But in a recent Freeform Dynamics study looking at business attitudes and practices in the area of risk management across Europe and the Middle East, we found that some of the more prominent threats highlighted by the media are not given that much consideration at all. In fact, businesses are generally much more concerned about information loss and downtime of IT systems than they are about terrorist activity, bird flu, earthquakes, floods or the antics of stock market investors or politicians (see chart below).

Of course it could be argued that some of the potential problems at the top of this list can be caused by those at the bottom, but it is interesting that organisations are generally not explicitly considering the latter that much during the business planning process.

But should they?

Well, that depends. When considering any particular risk, it is necessary to assess three things – the probability of an incident occurring, the impact of an incident if it does occur, and the cost of either preventing an incident or dealing with its consequences. When we think in these terms, the above picture starts to make a lot of sense. While natural disaster in a particular geographic area can have a devastating impact on the local business community, the majority of businesses across Europe and the Middle East are just not located in high-risk areas. Similarly, while we all hear and read so much about terrorism, few regard the probability of being directly affected as significant. And, how sensitive is your business, really, to the ebb and flow of the financial markets, short of a major recession that you can do little about anyway?

Clearly most businesses figure that these things are not worth losing sleep over because they are so unlikely to be touched by them.

At the other extreme, the chances of very damaging IT-related issues occurring if you neglect to pay proper attention to operations, security, and so on are very high. Furthermore, the impact of critical data loss and downtime of key operational systems is potentially very significant in terms of damage to the business, which is clearly why these items are at the top of the risk consideration list.

We do, however, need to be careful not to generalise too much, as both perceived and actual risks are highly dependent on specific situations and scenarios. Looking behind the overall view of priorities we have been discussing, for example, we find that financial services organisations not surprisingly take the performance of financial markets and potential regulatory exposure very seriously from a risk management perspective. Oil and gas companies, on the other hand, with the nature and diverse geographic spread of their activity, pay a lot more attention to accidental damage (think fire) and natural disaster related risks.

These are a couple of high-level industry examples, but if we drill down again, we can get even more specific, for example financial services companies based in the City of London stand out in the degree to which they worry about terrorism, and any organisation that interacts electronically with the general public tends to be quite jumpy about the risk of IT systems downtime.

Beyond this, there is the question of balancing the three dimensions of probability, potential impact and cost of mitigation, which plays out not just at a macro level, but when, for example you are assessing very specific security or operational risks, considering how much time, resource and money it is worth spending trying to deal with a particular threat. We’ll be picking up on this balancing act during future discussions as we revisit the area of risk management in the context of different domains, particularly looking at how technology advances can open up new ways of dealing with some of the same old threats as time goes on.

In the meantime, if you are interested in more details of the risk study mentioned in the above discussion, the report is available for download here .