Sivarama Krishnan :

The threat landscape is changing. I believe the critical threats that are now evolving include eco-terrorism, insider threat, profit-driven attacks, pandemics, vulnerabilities in cloud computing and Web 2.0, among others. We are witnessing a significant shift in the threat landscape as attacks from viruses, botnets, and the like, which are basically intent on exploiting vulnerabilities, to a more sophisticated form of attack, one aimed at gaining financial benefit.

Sivarama Krishnan :

Organizations are aware of the changing threat profile and are aligning their defenses to the new order. The main shift we are seeing is how companies are protecting their information based on its value. The new area of focus has been in preventing leaks in information and increasing end-user awareness. Why? Because organizations have realized that the best form of defense is to educate end users and ensure end-user compliance.

Sivarama Krishnan :

The basic principle of security is not to take anything at face value. The CIO's strategy for security has to undergo a change to tackle emerging global trends. The prominent change that I think they have to make is to assess what they propose to protect and figure out its value. The CIO's attention now needs to shift from protecting IT infrastructure to protecting business information.

Sivarama Krishnan :

I believe we will see two disruptive approaches being undertaken in the near future. One is obviously in the area of value-driven security, in which CIOs will have to map their investments in security to real values for their businesses. Threat-based investments will be soon be a thing of the past and CIOs and CISOs will now need to clearly justify an investment in a solution according to the value of information it protects or the value of the threat it minimizes.

The other disruptive approach is deploying security by creating zones that combine the physical and logical locations of an enterprise. Why? Because we are witnessing disappearing boundaries in terms of the extended reach and network of an enterprise.

Sivarama Krishnan :

The harder economic realities obviously impacted the cost of IT operations. Hence, it was wise for CIOs to turn to managed security services as these would reduce cost and simultaneously enhance CIO's reach for skilled resources at a lower cost. As I said earlier, security practices are now moving towards a value-based approach. Investments in security and resource availability will directly depend on the value organizations see in protecting their information. Managed services offer CIOs a viable way to access good resources - if they run enterprises that do not deal in sensitive data.

However, you will also continue to see in-house security teams being maintained in verticals that see security as an absolute essential for their businesses, such as BFSI, telecom and IT/ITES..

Sivarama Krishnan :

Insider threat has always been on the high side. During the initial years, insider problems were due to a lack of employees awareness.  However, with the Internet eliciting economic value from every scrap of information, insider threat to gain economic benefit has gone up.

Also, over the years, corporate networks have gone beyond the organizations' walls to include its customers and suppliers. Hence, you see a surge in insider threat leveraging these extended corporate operations. As Indian corporates globalize their operations, they will see similar trends. Nevertheless, I believe that Indian corporates are well prepared for these threats; look at the number of reported incidents in India, are lower than the global average.

Sivarama Krishnan :

That perspective isn't true for Indian enterprises - other than multinationals. As we have seen several mergers and acquisitions in the BFSI vertical along with various cases of government investments across the globe, it is true that some regulatory requirements have been enhanced. Nevertheless, this is more of a global phenomenon and it does not hold good for natively Indian organizations.

Sivarama Krishnan :

Not only will organizations change the way they invest in security and compliance in 2010, but also the way they invest in IT overall. As the realization of benefits become clearer, CIOs will continue their focus on optimizing the use of existing resources and reducing the size of their non-core workforce. I think CIOs will spend more on introducing higher levels of automation.

Sivarama Krishnan :

I think enough investments have been made in securing various IT infrastructure levels. The threat perception has now changed to leverage the value of information rather than gaining unauthorized access or inducing the unavailability of resources. CIOs now need to focus on what information they should secure and what is its value. Based on this value, they need to decide how and what needs to be protected. I believe CIOs should have a much larger focus on end-user awareness and compliance.