It’s the first day of the working New Year. A time for reflection, trawling through the rubbish that has accumulated in your inbox over Christmas and staring mournfully at the salad that your beloved other half has deemed is appropriate food for the next month.
It’s also quite an exciting time in the Public Sector, as it’s now 90 days until the end of the fiscal year, which means it’s a time for InfoSec projects to have make-up applied and generally get glammed up before being presented upstairs for assent. And so what do we think the big topics and projects are going to be?
It looks like allegedly regular run-of-the-mill projects such as anti-malware will still be high visibility during this period. There are various major projects itching to get started, plus the usual round of software licence renewals to cram in before the 31st March. All of these will be subject to scrutiny like never before, but it never ceases to amaze me that this is still a huge topic. For a long time anti-malware (the software formally known as AV) was the poor relation, a must-have like firewalls, but hardly sexy like … um … virtualisation or cloud. But if last year taught us anything, it’s that getting the basics right is just as important as ever. The bad guys are still there, better organised, better funded and people are still clicking on the links we tell them not to.
The other big topic looks like being the burgeoning arena of of open data. Over Christmas, Eric Pickles issued a grumpy statement about the number of local authorities that have published their data and the fact that well over half have yet to do so. I suspect that the reasons for not doing so are three-fold: prioritising the work; ease of publishing and finally the crucial one, getting it right. As I have raised before, this process is laudable, but the potential for screwing up royally and publishing wrong data is quite high. This is a classic people/process /work-flow dilemma and given that there is no extra cash available for this sort of project means that a conservative approach is best used. Still, it is perfectly possible to do this in a meaningful manner and not screw it up, especially if you follow the lead of the likes of Windsor & Maidenhead or Warwickshire.
The final one is the cloud and virtualisation piece. No self-respecting InfoSec blogger is not going to mention this at least once a week, and I don’t feel the need to buck the trend right now. The cloud/virtualisation topic still fills me with dread, as the security element of virtualisation is relatively new technology, and I still haven’t seen a coherent statement regarding minimum standards. However, as PSN gathers pace and starts to have all of its bits plumbed in and switched on, G-Cloud providers will be pitching for business this coming year. I know what my stance is on securing this (it’s still about the endpoint), but I am looking forward to seeing what the providers have to say and whether public bodies buy it (both conceptually and with actual cash). My personal belief is that 2011 is NOT the year for Government in the clouds, but we shall see…
So I’m off for a rice cake with low-fat spread washed down with water. And in the meantime, get applying the lippy to your security project and don’t forget to remember that without proper security in place, it ALL falls down.