By Andy Morris

Firstly, congratulations to Mike Rothman on joining Securosis.

Now, on to my Verizon post. Mike correctly pointed out that I drank too much over Christmas, and that what I said about being safe was fluffy and careless. In my defense, I was having post-Christmas fun, not submitting a whitepaper, or advising anyone on strategy. I’d just spent 400 words telling people to be vigilant, and not believe Verizon’s roses-round-the-door view of 2010. Plugging my products seemed like too good an opportunity to pass.

And in Verizon’s defense, I doubt the author really meant to sound as cavalier either. After all, Top 10s are just a way of letting off steam after a long year.

Over at Forrester, the big brains have put out a much more reasonable, more nuanced piece.
I like the Forrester document; it’s in tune with what I’m seeing happening here in Silicon Valley.

So, without further ado, here’s my take on their predictions:
A) Data security budgets will flat-line
I expect this to be true, after all, we’re in a tight spot money-wise at the moment, but some context is required. Firstly, I think that whilst spending on security will flat-line, spending on IT will fall. Meaning that security as a whole will now get a bigger slice of the pie, and therefore, will have greater visibility at the Board and “C-level” within companies. I don’t know of any B-2-B companies that are officially cutting list prices at the moment, but they all seem to be discounting heavily to secure purchase orders. So, now security has a greater share of the pie, buying even more vendor goods, which actually helps everybody. Greater buying power equals cheaper products, means more deployments, which in turn, means greater security. Win/Win. Hurrah for the recession!

B) Enterprises will strike better deals on DLP
This is really a very specific version of what I just said. DLP dealers like Websense, McAfee & Symantec sold roughly nothing last year. The DLP market exploded in to life when some very early adopters paid Vontu a boat-load of cash for early access products. 4 Years have passed since then, and nobody has really bought anything of note. Deep discounting during a recession is business as usual. If you want a DLP prediction, here’s one. Companies will stop pretending they can deploy content filters to prevent breaches, and instead, will focus on education and after-the-fact forensics. Or as we like to think of it over here, Log Management.

C) Cloud data concerns will begin to dissipate
Correctly, in my opinion, Forrester defines “the cloud” as being made up of totally different types of services, each with their own audience, scope, problems, and security concerns. These sub-clouds are: interactive apps (Facebook); hosted apps (Exchange); application APIs (Google Maps); application components (SimpleDB); infrastructure (Amazon); and physical space (GoDaddy). So the headline “concerns dissipate” is a little misleading. As Dimitri said, no one is going to trust the likes of Facebook or Flickr to improve to the satisfaction of a CISO, and everyone already trusts the physical security vendors with their array of cameras, motion sensors and armed guards. What is really top of mind then, are the hosted apps, and the infrastructure bits-and-pieces that can be assembled in to enterprise applications. Forrester is right; we will gradually learn to trust these boys. The key word here is “gradually”. Here at LogLogic we already outsource our email and web service - and we’re very comfortable. We use SalesForce, and again, are happy that our customers are not being mixed in a big pot with our competitors’. But are we going to roll our finance, logistics and engineering secrets out to the cloud? Not yet. If ever. Clever word that “gradually”. It allows Forrester to be both right, and wrong.

D) Full disk encryption will continue its slow and steady march
Full disk encryption is on the rise! Hmmm. A bit like the sea levels. Yes they’re going up, but it’s imperceptible to the human eye - for now. Encryption clearly is a superb idea. But until its 100% transparent to the frustrated sales guy with his laptop, hundreds of miles from tech-support, its not going to be mainstream.

E) Creative vendor couplings will renew interest in ERM
Simply put, no. Well, yes. Creative vendors will seek ERM partnerships, but the examples given by Forrester are all about DLP. So, my question to you is, does tying two technologies, which quite fulfill their promise, together, make them attractive? Of course not. ERP will still be hard to deploy. DLP will still over promise, and under deliver. The future of data control is at a fork. We either go the 1984 route, and try to control everything, or we use education, forensics, and public discipline. Big Brother appeals to Silicon Valley because we think we can build it. But as we found out at Christmas, no security is 100% effective, there are no silver bullets, but vigilance and education can go a long way to solving the problem.

So, how do you best educate? My mom always says, (and she’s a teacher), teach by example. To help improve risk management what we need are tools that can analyze what’s gone wrong, and can demonstrate breaches to the masses. We have acronyms for that: SEM & SEIM. Here’s what Gartner, and others, think you need to know.

If you read the Forrester report, 90% of which I agree with, you’ll come to this conclusion: if you’re in business, spend security money wisely, educate your staff, deploy defenses where they’re proven, and be ready to swiftly, comprehensively and immutably document breaches. And stay vigilant. The bad guys are slippery like a worm.
Of course I’m biased, but that’s what we do here at LogLogic. We let you get on with running your businesses, making all that money, giving all those people a safe place to work, and should anything go wrong, we help you remediate.

Happy (safe, compliant, responsible) New Year.

Andy Morris, Product Marketing Director, LogLogic