Four Key IT Security Trends for 2011


After a relatively quiet couple of years, acquisitions of IT security companies shot through the roof in 2010. Symantec purchased PGP, GuardianEdge, and Verisign’s identity and authentication services in the spring; HP quickly followed up with acquisitions of Fortify, 3Par, and ArcSight; IBM acquired BigFix; and CA acquired Arcot. Of course, the biggest purchase of them all was the whopping 7.7 billion USD that Intel paid to purchase McAfee. That’s a whole lot of acquiring going on – and one trend is clear: large enterprise-management-focused organizations are doing most of the buying. But what other trends or impacts does this activity point to? And what, if anything, does it mean for those of us working as IT security professionals?

To find the answers to those questions, let’s go back to the clear trend and unpack it a little bit. CA, HP, and IBM are all well-known for their enterprise IT management solutions: NSM (formerly known as Unicenter), Business Technology Optimization (some components formerly known as OpenView), and Tivoli respectively. All of them are business and operationally focused platforms and suites. What they aren’t: security or risk-specific. This isn’t to say that risk management and successful business operations aren’t synergistic, simply that the wall separating the security team from the network/systems management team is coming down, and it’s coming down fast. CA, HP, and IBM know this and their acquisitions reflect jockeying to be well-positioned to expand their enterprise management suites to encompass security and risk for a complete solution—managed from one central console.

What does this mean for those of us in the security trenches? I think it means we’ll see the following trends expand and become accepted realities in the next 3-5 years:

1.   The NOC (network operations center) is the SOC (security operations center).

Day-to-day security tasks are rapidly becoming operationalized. The days of a dedicated security administrator that manages the DNS, firewall rules, and IDS deployment are gone. At a small company, there still may be a single employee that does all of the above, but the likelihood is that they’re also tasked with buying and setting up laptops and doing asset inventories. At larger companies, an operational team is managing all of the above with responsibilities distributed across the team. The NOC+SOC reality is becoming true for both in-house management and for externally outsourced management solutions.

2.   IT Risk Managers = Trusted Advisors.

Though hands-on security-only expertise may not be needed day-to-day for simple firewall rules and changing ACLs on routers, the experience and wisdom of IT risk professionals continues to be in high demand. For maximum benefit though, this expertise will be transitioned into a more advisory role. IT Risk Managers will work closely with requirements definitions teams, systems architects, and the managers in the NOC and data-centers to advise on risk exposures and mitigations throughout the entire systems lifecycle. The benefit here is that if this reality comes to pass, security and risk awareness will finally be built into systems before deployment and no longer bolted on as an afterthought.

3.   Audit and Compliance Stand Alone.

Though the NOC and SOC are unifying, security and risk monitoring for audit and compliance will continue as a separate discipline and channel. By design, audit is meant to be an objective practice that is separated from the pressures and concerns of the day-to-day business. Both internal and external auditors rely on report data and written documentation when making their compliance assessments. This means that the accuracy of the audited information can directly impact the compliance findings. For this reason some auditors require a separated, verifiable channel for delivery of the data used in the audit assessment. In organizations where the highest level of separation and security are required, this could mean a separate zone and channel for audit, such as a stand-alone SIM console with unique, audit-only sensors. In these instances, administration and operational duties for management of the separate audit control monitors will be required.

Regardless of whether a separate audit channel and zone is required – audit will need to remain independent from operations in order to maintain separation of duties for audit purposes. At smaller companies, or for those with a higher tolerance for some audit channel overlap, existing monitoring and sensor devices can be used with separation occurring within the tool itself using reporting templates and hierarchical logins.

4.   Research Innovation in the Niche.

Vulnerability research, testing new ideas, experimenting with product innovation – all of these are essential to keeping IT infrastructures security and to continue the forward movement and evolution of security and technology as disciplines. Although large companies maintain research and development labs, the majority of innovation will occur at universities and start-ups.

Are you a practicing IT security professional? What do you think? Join the discussion in our comments section below or on Twitter (include #securitytrends and/or @eSecurityP).

Diana Kelley is a partner at SecurityCurve and frequent contributor to

Follow eSecurityPlanet on Twitter @eSecurityP.