it really is all about the staff, if you want real value

Mogull has posted 2009 predictions over on CSOOnline. I wanted to react!

1. Shrinking security budgets.
Yeah, ouch. This goes back to one thing I hold dear: Know how to provide security without the expensive tools. Paying a commercial tool to do a tracert or analysis of a 1MB log is added bloat. Be able to use the open source tools and basic skills to get things done. Yes it takes timemoney, but it often is easier on paper to cut tools than it is to cut staff. Like we always say, tools only go so far, but staff is where your value is. And keep metrics to justify the staff…

4. Database security market collapse.
Did this take off? I must have missed it. But I think it gets missed frequently because there are few things so buried in a business than the database servers and how things are stored and/or accessed. I’m not surprised this is underappreciated. I’ll consider this market a victim of the stupidly large cost of working in a technology-driven world. You want a database, and you also have to pay for this companion tool and that companion tool and this one over here for compliance…? And that’s only if you do things the right way, which is not how us humans are built (we live in the gray world of risk and gambling!). These needs to be built in just like Microsoft needed to build in a firewall and AV, with apologies to those markets.

5. Data Loss Prevention goes mainstream.
I still don’t buy it, unless you essentially have it part of the re-branding lifecycle of antivirus->antispyware->antimalware->host firewall->HIPS->DLP. Sure, then it works, but otherwise on its own I don’t see this as that lucrative. There are still too many ways to lose (or steal) data that tailoring a product to prevent it seems destined for futility in all but the most basic of operations. (e.g. Alert Alert! Someone stuck in a USB key and copied a file over! omg! Alert!) To me, “Data Loss Prevention” is more of a security program than a single tool. Besides, it is yet another thing that won’t manage or configure itself; it needs staff to give it love.

7. The PCI effect. PCI will drive WAF sales, but customers will still be dissatisfied with their performance. …[Need to] make them more useful out of the box.
WAFs take effort. That or they are so bare-bones they only protect against the most basic of universal attacks (signatures). I think the dissatisfaction grows as buyers are told they need to give their WAFs more love from their network and developer staffs than just, “set it up and forget it.” Too many bought WAFs just to throw them in, turn them on, and have them protect the world…and that’s just not realistic. But they need good rules and people to watch those good rules.