Although the practical value of this form of rudimentary forecasting is not clear, it became common practice for infosec industry analysts and thought-leaders.

Indulging in year-end foretelling is risky to the amateur futurologists and of limited value to their audience. Since it only takes about a year to contrast last year's predictions with reality, the braver foretellers may find their reputation ruined if they predicted radically new developments or if they stated their prophecies in uncompromising uncorrectably clear terms. On the other hand, less outrageous, unclear or hardly verifiable predictions will have little practical impact on their audience's actions. The forecasting ability required to predict a short-term future as a slightly modified version of the present isn't that great.

To the CISOs and CSOs the year-end predictions of December 2009 for 2010 will be essentially of tactical nature and may just be useful to consider marginal changes in the distribution and prioritization of resources in their already prepared plans for the upcoming year.

In this context, a futures talk about the evolution of Information Security Risk within a one-year horizon is futile. I posit that the overall aspect of the information security risk landscape and its measurement is not likely to change substantially in one to three years notwithstanding the Basel II Accord -and its implications to infosecurity in Operational Risk Management- and despite the multiple regulatory frameworks applicable.

A more promising approach to information security futurology may come from science fiction writers, professional science and technology futurologists with -arguably- less concern about the developments of a specific industry or their ranking in the pundit reputation scale than for the artistic and commercial value of the output of their creative process.

A few weeks ago, I was pondering about this when a friend pointed me to the keynote presentation delivered by science fiction author Charles Stross at the LOGIN 2009 conference last May. As an avid reader of science fiction I immediately recognized many of the underlying constructs of his published works but I was amazed by his precise mapping of those ideas to a possible landscape for the gaming industry by 2030.

Reading of the presentation instantly triggered an attempt to understand the implications of such a possible future to the information security risk management practice.

What may 2030 look like to the CISO or to the information security practitioner? What will be the prevalent form of Information Security Risk Management?

Although I can't provide definitive answers I do feel confident enough to share some thoughts and predictions knowing that it is unlikely that I'll be made accountable for them in 20 years. While the exercise has little immediate pragmatic value it may be useful to foster longer term strategic thinking about the infosecurity community, the market and the evolution of threats and risk.

Assuming that Moore's Law still holds, by 2020 an off-the-shelf computer will provide more than 30 times more raw computing power than today's price equivalent. By 2030 the increase in computing power per system will be more than a thousand-fold with a similar increase in storage capacity and network bandwidth. These highly powerful systems (for today's standards anyway) will be pervasively deployed across the more developed regions of globe using embedded software on mobile platforms. They will have the ability to aggregate their capacity and build ad-hoc networking on demand and to provide it as a commodity to various types of consumers ranging from individual users to large organizations. Such aggregation and acquisition of computing resources will be available to all infosecurity practitioners for both defensive and offensive purposes.

Systematic discovery and exploitation of vulnerabilities will be commonly acknowledged and accepted as part of the cost of conducting business and individual social interaction.

Distributed computing and distributed data storage will be a standard capability of even the simplest application rendering the distinction between data-at-rest and data-in-transit as irrelevant as the definition of a network perimeter. Building a one-to-one correspondence between data assets and computing resources will be impossible, building many-to-one mappings may not be useful at all or feasible in the time necessary to assess risk and deploy avoidance or mitigation mechanisms. On demand real-time transferring of risk will thrive.

In an environment of relative abundance of computing power, bandwidth and ubiquitous data, information security operations will be mostly focused on supporting continuous and intelligent acquisition and maintenance of the Quality of Computing Services capability, an organization's ability to draw in real time aggregated computing power and data in an economically efficient manner from a multitude of seemingly opaque providers.

While the distinction between data assets at rest or in transit may not be relevant and the attempt to enforce access control policy on them completely meaningless the protection of the intellectual property used to create Data Derivatives of second order (information differentials) and third order (information about information differentials) from suitable and readily available data and computing resources will be of greatest importance.

In that context, any definition of Information Security Risk as the function of a set of threats, vulnerabilities and assets identifiable and quantifiable at given point in time will be either obsolete or severely limited. Today's risk management tools based on (at best) simple linear regression models with additive risk calculations over that set will seem as rudimentary as using an abacus for financial forecasting.

By 2030 an organization's or individual's information security risk posture will be better described as a probable trajectory in an global multi-dimensional risk landscape constantly evolving and the tools used to measure and manage risk will be built using the foundations of modern physics, evolutionary biology, economic modeling and social sciences rather than technology-dependent abstractions. Effective global situational awareness capabilities will certainly be a major function of risk management systems.

Sounds utterly complicated?

Yes, but fear not!

The providers, users and consumers of the output of such operational risk management systems will be information security practitioners that were born in and/or lived through several decades of technology evolution at a rapid pace. However, their perception of acceptable risk, information security and privacy standards may be quite different from todays.

So, how do you envision the role Information Security Risk Management 20 years from now?

Related Articles

• 6 Data Moving Myths
• Maturity Is a Two-way Street
• Ten Reasons to Enroll in an MBA
• Should You Invest in GRC Tools?
• Flying Through Turbulent Times

Latest Articles

• The Quiet Threat: Cyber Spies are Already in your Systems
• Responding to Security Questions Successfully
• Security Secrets the Bad Guys Don't Want You to Know
• Don't Wait for Adobe Sandboxing to Secure PDF Viewing
• The 4 Tiers of a Secure B2B Framework