Several interesting reports have recently been published that look at how administrators will need to approach IT security over the next few years, as well as how they should handle their jobs if they want to advance.

Aberdeen findings and predictions
First, Boston-based Aberdeen Group (whose recent report on CERT listings of Linux vulnerabilities caused such a stir in my January 6 column) has published a platform-neutral report titled “2003 Predictions for Security and Privacy.” The report contains the company’s view of the most important trends in the area.

Highlights of the report include the prediction that identity theft costs will triple from the estimated 2002 figure of $8.75 billion to $24 billion this year. That includes all costs, including those to victims and the financial institutions involved. It’s dismaying that most of the prosecutions and investigations we hear about are still focused on copyright protection and such.

The number of reported security incidents has climbed from about 50,000 in 2001 to double that in 2002. Aberdeen draws the obvious conclusion that this figure will probably double again in 2003, which would result in more than 200,000 incidents reported by the end of this year.

A more questionable statistic is the number of unreported security incidents that Aberdeen sees as “climbing from 4.1 million in 2001 and 7.9 million in 2002, to 15.9 million in 2003.” This may be accurate since obviously many incidents, even critical ones, go unreported, but Aberdeen hasn’t included any information about how or why it made this estimate.

Easier to understand is the prediction that companies will continue to dump first-generation intrusion detection systems that report so many false positives that they have proven to be practically useless in many environments. Aberdeen says that these old pattern-matching monitors will be ditched as more and more companies realize that supporting them is a waste of resources.

It also predicts that spam will almost double in volume from 2002 through the end of 2003, and it’s difficult to argue with that prediction. Unfortunately, Aberdeen Group also sees government preparation for cybersecurity not advancing beyond the planning stages in 2003.

Cybersecurity market growth trends
International Data Corp (IDC), a division of Framingham, MA-based International Data Group (IDG), has released “Big Picture: IT Security Products and Services Forecast and Analysis, 2002-2006.” The consulting firm’s 16-page report (which costs $2,500) centers on a prediction for cybersecurity market growth, saying that it will grow from the $17 billion spent in 2001 to $45 billion in 2006. The largest growth is in security-related hardware.

Information Security (which, as far as I know, is not an IDG publication) has reported that previous predictions by IDC have often come within 10 percent of the final numbers. An analysis of another IDC report from Pacific Business News says that Asia-Pacific region companies typically spend between 8 and 14 percent of their IT budgets on security and that the spending will jump to 9 to 17 percent in 2003. There is a growing concern over the impact of viruses, and companies are expected to move beyond firewall and antivirus software to deploying more VPNs.

Proprietary software vs. open source
Anyone wanting to continue the debate over which software approach to security is more useful, proprietary or closed source (e.g., Microsoft) or open source, will be interested in the recent talk given by a Cambridge don, Ross Anderson, the head of security for the University of Cambridge Computer Library.

Anderson escaped unscathed from a Linux User’s Group meeting at London’s City University after saying that there was little difference between the security of open source and proprietary software. He said that what’s most important in software security is how fast new vulnerabilities are produced and how quickly they are applied in the real world.

His conclusion that open source is not more secure is based on the fact that attackers always have an easier job than defenders, if only because they only have to find one hole, while defenders have to protect everything. Given this argument, it follows that although it may be easier to discover problems and produce patches for open source software, it’s also easier for attackers to analyze it for vulnerabilities.

This doesn’t make open source extremely vulnerable, according to Anderson. What it does is level the playing field so much that there is no obvious reason to select open source over proprietary products for security reasons. This is simply a critical analysis of the various conditions involved.

A report of Anderson’s presentation in The Register included this telling comment:

“Audience members remarked that software vulnerabilities often turned up in the ‘boring bits’ of operating systems. Perhaps because developing these functions was left to the least competent programmers and developers, some suggested.”

If you want to take issue with Anderson’s conclusions, you first need to read his full statistical analysis, “Security in Open versus Closed Systems—The Dance of Boltzmann, Coase and Moore.” Anderson’s Web site is also interesting because it focuses on the economics of security.

Final word
Every indication is that security professionals will face massively increasing demands in 2003 and in the years ahead. No matter what software you support now or are trained to manage, I think the most important piece of information you can take away from this column is the IDC study, which predicts a 25 percent compound annual growth in the cybersecurity hardware market over the next five years. Someone has to manage the purchasing, installation, and operation of that hardware.

IT pros who can develop a skilled and professional approach to security will be able to manage the variety of systems and platforms that companies select from among the many vendors now vying for a share of the security gold mine. The days of worker shortages and big signing bonuses may be long gone for dot-com Web designers, but they may be just beginning for security professionals.