It's (nearly) 2012 - So What? ;)

The other big headline for 2012 will inevitably be the US presidential election. Without delving into politics, allow me simply to forecast now that we're not likely to see much change, especially in light of the current administration, which ran on a platform of "hope" and "change" that has never materialized. If you're interested in politics, then I suggest going back and reading about the Gilded Age and the interesting parallels. We seem to live in cycles of sorts, which does concern me a bit as that might imply another world war in the offing. There's a comforting thought for you.

Closing out 2011, there are a variety of breaches to look back on. I'm sure there are comprehensive lists somewhere, but I'm too lazy to go find them (I hear Google searches work for that sort of thing;). From my recollection, the big ones seem to be related to HBGary, RSA, and now STRATFOR (though I don't know that I consider it to be in the same class). The RSA breach was probably the most interesting one from within the infosec industry. It's always interesting to see in-industry companies having issues. HBGary was intriguing, too, for similar reasons, though they did suffer from poking the bear a bit, whereas RSA was likely more of a strategically interesting hack to compromise technology.

The STRATFOR hack perplexes me. I don't get targeting them, aside from the flash of press hype that's ensued (slow news week?). Sure, they had some high-profile companies as customers, but they weren't really all that interesting a target. They seem to provide fairly objective analysis, and they don't seem to take sides. Moreover, they've done very little in the "cybersec" space, which makes me scratch my head even more. Ah, well...

Looking forward to 2012 for security, I hope that we can continue making progress in key areas like GRC and risk management. 2011 seemed to see a lot of bandwagon-jumping around use of the term "risk," and that will hopefully lead to a better approach going forward. We need more data points, more open sharing, and more maturity. I think we can and will continue making progress in this area, and I'm hopeful that the Society of Information Risk Analysts (SIRA) - to which I was voted a board member recently - will help us with maturing the state of art. I'm also hopeful that I'll be able to help customers improve their practices while providing useful tools through high-quality GRC solutions (note: I'm a bit biased given my employer!).

Outside of infosec, 2011 was intriguing for other reasons. Severe weather was more severe than we've seen in ages. Just in the DC metro area (where I live), we had an earthquake and hurricane in the span of a couple weeks. This was followed by more rain than we rightly needed, and then a very early first snow in late October. Lots of tornadoes hit around the country, and the ring of fire seems to be rumbling back to life as we start seeing an increase in earthquake activity all over the place. Average temps are soaring, which seems to partially validate global warming theories, though I still maintain that a major ice age is the logical conclusion to such activity.

People were also interesting in 2011, such as the Occupy Wall Street movement. The economy still stinks, and I don't think we've yet seen the end of that down-cycle. Will the eurozone survive? It's anybody's guess at this point. At the same time, some companies are doing just fine, and I expect we'll continue to see pockets of stability surrounded by large waves of uncertainty. Has it always been this way? It's hard to say, but my guess is not necessarily. 2012 will be an interesting year to see if politicians and business leaders can continue stabilizing things, or if the wheels will completely fall off. I can't help thinking that the specter of China lingers in the background, just waiting patiently...

2011 was definitely a bad year for dictators, but it's not yet clear if the new regimes will be any more democratic and less repressive. The elections in Egypt and Tunisia seem promising, to a degree, though I think it's too early to be certain if the outcome will be favorable. Iraq is already starting to fall into civil war, and you can just feel the influence of Iran in that area. Likewise, Syria continues to hold on to power, but I can't imagine that will last through 2012. Similarly, the transition of power in North Korea will be interesting to watch, though I will be surprised if we really see much change there (who knows). I'll also be interested to see what happens throughout South and Central America. Will Chavez last another year in power, or will we see a sweep of "Latino/Chicano/Hispanic Spring" movements? Nothing would surprise me.

Speaking of which, the Arab Spring movements were very fascinating to me, not only because of the role of technology, but because of the rapid transition we saw. It piques my interest because I wonder if there are intelligence agencies pulling strings in the background, actively working to destabilize these countries? If so, are we seeing the influence of the US or Iran or China or Israel or someplace else? I'm not a big fan of coincidence, and it seems way too coincidental that all these movements sprang up in quick succession. Then throw in the current anti-Putin protest movement in Russia and it starts seeming rather well-coordinated. On the one hand, I also wondered if the OWS movement was connected, though it didn't seem to have the same type of organization and structure, so maybe not. My guess is that 2012 will reveal something greater behind these changes... I just hope that the outcomes are predominantly positive and don't instead end up in some sort of global military conflict.

Lastly, I hope that 2012 will be a year of great personal growth. For the first time in a while I feel like I'm in a good place career-wise, and am very hopeful that I can now increase my contributions to the industry (no, I'm not talking of a "thought leadership" mythos). There is much we can do, and I think that many of the right pieces have started falling into place. Barring the introduction of absurd regulations like SOPA/PIPA into our cache of requirements, I'm very hopeful that organizations will continue improving their grasp on duties and responsibilities. The way forward is to de-operationalize security duties, elevating "infosec" to a "GRC" program (discipline, not platform), distributing security responsibilities to all personnel, and asserting accountability. Easy, right? ;) The groundwork is lain, the tools are suitably mature, and people are slowly starting to come to grips with this new reality. Sociologically, Boomers are retiring, elevating Gen Xers into leadership positions, helping achieve the necessary "it takes a generation" requirement for full social change. I'm hopeful that 2012 will be a great turning point in infosec, and that we can finally assert the needed paradigm shift.

At the same time, I'll be watching the political movements in hopes that things start to moderate again, and that we can see politicians actually seeking out and accepting input from true experts. Following the SOPA markup was truly depressing at times, with some members of the committee saying proudly that they didn't know anything about technology, nor did they need to hear from experts on the impact of the legislation. Hopefully 2012 will see some of these people and trends fade out in favor of a more informed future. Hey, I can dream, can't I? :)

So, that's it for my ruminations. May you have a happy, productive, positive 2012!

ps: I'm sure I've left out tons of stuff, but that's ok. ;)

pps: Updated to correct a number of typos...