Security Threats 2010 (and beyond)

The Net is full of top security threats for new year. Maybe I should create my own list - just for the fun of it? Let's see - I don't have any products to sell, so that won't narrow it down. Safe bets would be social media and cloud computing. It's always good to remind that it's not just criminals, but internal users are a threat also. Oh - and malware situation is getting worse every year of course.

Let's try something else for Top (of my head) Five Security Threats of 2010.

1. Organizations prefer quick-and-dirty product-based security solutions
   
   Building secure environment and behaviour is a tough long-term effort. In most cases security issues would be tackled best by studying and enhancing processes or educating users. Good, strategically chosen products help, of course. Unfortunately it's too easy to fall under product vendors spell. I wish it would be possible to buy security, but security is mostly hard work of changing the way how people think and behave.
   
   
2. Projects skip security issues because of unrealistic budget/schedule/resource planning
   
   The road to hell is paved with good intentions. The saying is sadly true in so many IT- and software-projects. At first security is top priority, but as the project runs out of money and time, priorities change. It's amazing to still see projects, where deadline and resources are set before the requirements are clear.
   
   
3. Concentration on media-hyped security issues
   
   Media - often spun by product vendors - tend to report issues, which security professionals are not so interested in. Reporters write about the tip-of-the-iceberg and we poor security profs try concentrate on real issues. I once read a great quote from somewhere saying, that nowadays media doesn't report about normal state of the world, but it reports the exceptions. Problem is that users - and sometimes even management - want to see actions targeted to those very visible issues. Organizations waste money and effort to soothe media "educated" users. Former politicians could make a great CSO/CISO?
   
   
4. Blocking use of new, innovative products/services for security reasons
   
   Facebook? Bad. Cloud computing? Bad. Mobile access? Bad. Twitter? Don't get me started. Many security experts get a primitive reaction when anything new comes on the sight. This new thingy makes all our old (and expensive) security products useless, hence it must be forbidden. I wonder how many business opportunities are delayed while security people think about threats.
   
   
5. Planning security projects based on different Top Security Threats lists
   
   In short. If your security programme is based on gathering top threats from different lists, you are doomed. Think about business requirements and risks. It's useful to add consensus of threats in the equation, but don't let them be the driving force.

There. If we are unlucky, I can reuse this post next year.