Well, it’s that time of year again: lots of prognosticators making predictions for 2009 as they take a look at 2008 in the rearview mirror and try to figure out what’s in front of us in the New Year. So, I’ll join the legions of IT experts guessing what may be in store in the coming months as we raise our glasses to 08 and toast 09 with anticipation, hope and given the current economic climate, with consternation as well. Since I am a creature of Washington and have the opportunity to work with the U.S. Congress, I’ll focus on what steps we might expect our national legislature to take in 2009 as it relates to information security and privacy issues.

Encryption is one security control that's showing up a lot more frequently these days; in many cases the choice to implement encryption isn't optional. PCI requires it, state PII protection laws are starting to demand it, and many other government and industry regulations imply it as a requirement. The other thing that's changing the way we look at encryption is that it's becoming ubiquitous - many of the hardware and software products we buy that touch information now have encryption built in. All of these factors are combining to make encryption one of the fastest growing areas of security. So what's the downside?

As companies everywhere seek to reduce capital and operational expenses in a troubled economy, they ask themselves, How can we spend as little as necessary today to minimize additional costs throughout the next year? IT and security professionals relate to this as their goal is to never have to withdraw from the Contingency Reserves (or similar) budget item. Contingency Reserves is finance-speak for the allocation you must set aside to accommodate potential financial ramifications resulting from IT security breaches. These breaches occur when sensitive information leaks into the wrong hands, most frequently as a result of inadvertent internal error.

I love crime shows: Law & Order SVU, Inspector Morse, CSI:, the occasional episode of Monk, and others. (OK – I’ll admit I like some of these for the drama as well!).  I also love a really good “Who Dunnit?” novel – usually with a good twist or two, of which Jeffrey Deaver is quite the modern master. 

My colleague, Paul Stamp, recently shared his thoughts on the global economic downturn and the fact that it is making many organizations concerned that their IT security budgets will be cut.  Echoing Paul’s observations, almost all the customers I’ve spoken with have not seen their PCI budgets cut, but that is not to say they aren’t concerned.  Many have expressed a desire to stretch their dollars further, asking the question, “When it comes to PCI and my other security and compliance initiatives, how can I do more with less?”

Click to Download/Listen (15:01)

This week's Speaking of Security podcast features part two of an interesting discussion with Uri Rivner, Head of New Technologies for RSA. Uri talks about what organizations can do to combat fraudsters. Through a layered security approach, organizations can stay one step ahead to mitigate the risk of fraudsters targeting their business.

Also at the IANS conference, we talked extensively about enterprises' budgets. Apart from a few notable exceptions, most agreed that budgets hadn't been significantly cut...yet. It stands to reason – nobody buys security because it’s cool, or because they have extra cash in their pockets. On the other hand, few thought their budgets’ were immune to being cut in the near future either, though. Either way, just about everyone was finding that they needed extra justification for their security purchases.

Okay, raise your hand if you are scared of the word “policy.” Policy is sometimes an overused word that sounds simpler than the complex thing it actually is, and if not properly thought out, can be a headache to implement. RSA’s Information Classification and Policy Research team spends a lot of time focusing on the accuracy of Data Loss Prevention (DLP) policies. This week, we’re giving some hints for success and best practices that we’ve learned by working with both early adopters and some of the world’s largest companies. We know from experience that you can have the most accurate policy and it still may not be the right policy for your organization. Here’s how to figure it out...