Most people are familiar with this saying, which draws a line between what we might expect and what we are likely to encounter in the real world. It came to mind when I was reviewing a CSO piece entitled "Endpoint security trends for 2015: What can we expect?" by Kim Crawley, a Toronto-based web entrepreneur and security researcher for the InfoSec Institute.
In the piece, Crawley makes three predictions for endpoint security in 2015: "BYOD R.I.P.?,"A different antivirus approach" and "vendor reduction." I reacted to each with different degrees of belief.
On one extreme, "a different antivirus approach" is a really interesting observation, in which Crawley highlights limitations in signature-based antivirus (notably, zero-day attacks), and calls instead for anomaly-based approaches to antimalware. It's an important distinction, and should be followed in 2015.
Another of her predictions, "vendor reduction," may not fare as well. She sees potential for connections between vendors with complementary products - e.g., antivirus and network security appliances - as a means of reducing supply complexity. This POV has merit - reducing the gaps between different 'shields' through supplier integration would provide clear benefit to buyers - but it has business complexities that aren't necessarily responsive to such logic, and calls for actions that aren't necessarily shaped by engineering concerns.
The third prediction, "BYOD R.I.P.?," is the one that called the theory-and-practice saying to mind. Crawley is certainly correct when she says "BYOD introduces a multitude of security problems to corporate networks." However, the decisions regarding BYOD policy aren't likely to be made by security professionals - they'll be made by business managers who want employees (and in an increasing number of cases, customers) to have access to corporate network resources. The theory that security would be boosted by firms that "either switch to CYOD (choose your own device that's completely administered and controlled by an IT security policy) when smartphones and tablets are completely necessary for work, or eliminate work done on mobile devices" may be correct, but it most certainly doesn't follow that this will be motivation enough to move "many businesses that have BYOD policies [to] scrap them altogether." The days in which enterprise security worked like medieval castles (build a big wall, pull the peasants and cows inside, raise the drawbridge, or the digital equivalent thereof) are gone, and they are not returning in 2015 or any other year. Security policies, practices and technologies will need to adapt to an uncertain mobile 'perimeter' instead.
Endpoint security is definitely an approach that I favor. Keeping a network secure is an immense challenge that requires constant work and vigilance. Why introduce a client or server to your network before making sure that the device is as security hardened as possible?
Network-based information security attacks have been making the news with increased frequency throughout 2014. It's even gotten to a point where a lot of those incidents are being reported in mainstream publications and websites. And you can bet that for each incident that makes the news, there are possibly thousands more that we don't get to read about.
A lot of these problems can be prevented with a solid endpoint security strategy. Are corporations and institutions going to get smarter about it? In the rapid pace of tech, how will endpoint security implementation evolve in 2015? From my keen observations of what's going on in the IT world, here's what I predict...