IT and Compliance: 5 Big Predictions for 2008

Service-oriented IT processes and technologies will help managers bring the enterprise into line in 2008—perhaps not a moment too soon. We can't shake the feeling that something big and very bad is lurking 'round the corner. Grab a security blanket and carefully read on for the hopes and horrors of 2008.

by Cass Brewer

Once again, we look into our crystal ball to present 10 major predictions for the coming year. On the bright side, we believe the year will be blissfully short of regulatory shocks to the system on the order of Sarbanes-Oxley and the e-discovery amendments to the Federal Rules of Civil Procedure (FRCP) of 2006. Managerial evolutions, such as process-centric IT and better application of risk-management principles to information security management, will help companies refine and streamline IT governance and compliance. And the slow technology revolution to favor Web services and virtualized environments stands to ease development and control burdens. Vendors will also improve the picture by consolidating and expanding solutions in the quest to forge solution "silver bullets" that will slay a full slew of IT bogeys.

However, these and other factors will also place new burdens on IT managers to apply established principles and best practices in more efficient and innovative ways. More importantly, we have a deep sense of foreboding that a major data disaster awaits us in the next 12 months.

The soft US dollar, coupled with weak retail sales, fear of inflation, a consumer credit crisis, and the trickle-down debacle of poor bank-lending practices in 2007 may retard corporate performance, prompting companies across industries to clamp down on spending and scale back IT services and budgets in the process. The feverish pace of control development will consequently slow, despite every indication that major security control gaps continue to plague sensitive industry sectors, such as retail, banking, and manufacturing. Threats will not abate, however. In fact, several ugly ones are looming, potentially leading to a perfect storm of threat strength and defense weakness that could make for a fairly heinous 2008.

This week we present five of our 2008 predictions, focusing on some of the major movements and control gaps IT managers will address in the coming year.

  1. Green moves mainstream. In 2008, power and cooling management will gain major momentum. Companies will look for easy wins with green technology purchases, but will largely fail to master the larger challenge: usage patterns and user habits.

    The past year has seen a dawning realization that ecological considerations represent both serious costs and risks in IT departments, but the "green IT" movement has largely remained an ancillary consideration—or, at best, a fringe movement. Despite some media noise around risks spawned by growing data centers and high-density equipment, vendors have until recently offered little relief from power- and cooling-related stresses. IBM's Project Big Green; HP's Dynamic Smart Cooling (DSC) technology and other "green" data center products; and Sun's efficient Niagara chip and virtualized data center, Project Blackbox, among other vendor offerings, represent a sea-change in supply-side support of more cost- and energy-efficient data center management. A surge of venture capital in "Cleantech" startups in 2008 will also spur the development of more operationally efficient hardware and software innovations.

    Meanwhile, the US government's Office of Management and Budget (OMB) will both reflect and help drive green momentum by requiring agencies to include green language in contracts. However, this and similar measures will chiefly impact new solutions. The "greening" of established systems and user practices, which will continue to represent the bulk of power- and cooling management concerns, will be much slower—where they occur at all. Only the advent of major and well-publicized data center meltdowns will spur institutional change on a major scale.
  2. Security controls go over the wall. IT managers can't rest easy on home-field security efforts. Contractors, outsourcers, business partners, supply-chain nodes, and other business network members also have access to privileged sensitive customer and business data. Scores of information breaches have been tied to such privileged third parties over the past several years, but third-party security has generally remained peripheral to managerial focus. In the next year, managerial confidence in internal information security, coupled with ample documentation of policies and procedures, will allow managers to contractually enforce security controls across broader business relationships.
  3. Solution vendors go deep and wide. Consolidation and solution expansion will both continue at clip in the GRC solution space, as vendors strive to position themselves as "end-to-end" solution providers. However, IT and compliance managers should be aware that even these more robust and comprehensive solutions will remain limited to fairly limited IT management areas, in terms of the total GRC picture. For example, identity and access management and messaging security management will see the most aggressive consolidation and development.
  4. Mobile security gets equal mindshare. There's been no shortage of concern about mobile security, but it remains a sticky wicket due to the diversity of devices in use, inability to control end-user behaviors outside of the office, and lack of policy directives for mobile device use. On the whole, mobile security has remained a we'll-get-to-it-when-the-perimeter-is-secure priority; however, this attitude will shift in 2008. As handheld computers and increasingly powerful mobile applications drive more sophisticated computing outside the enterprise walls, companies will need to reprioritize mobile policies and controls as a primary concern.
  5. Managers map the VoIP void. Fast adoption of VoIP represents a furious risk for companies and a pretty target for miscreants. At least one major security incident in 2008 will draw managerial attention to the risks of unsecured VoIP networks. Meanwhile, the potential for VoIP data to be included in e-discovery requests will propel new interest in telephony records management.