I get the question a lot at conferences like Black Hat: What do I see as the next big thing in security? I usually respond with a blank stare. The reason is that I see absolutely nothing new, and haven't for some time.
Some might say that's a cynical, jaded response. I don't think so. Security doesn't need a constant torrent of new trends to be interesting and important.
A decade ago, when I first started writing about the security industry, it seemed as though I was chasing a new trend every year, then every six months. In the beginning the big news always involved worm outbreaks like Sasser and Mytob. First a big vulnerability would be revealed on Patch Tuesday and then someone would exploit it with the malware. Then the trend shifted from covering that to chasing the latest data breach. From early 2005 onward, every time a company announced it had suffered a breach, reporters like me would have to drop everything and chase it. Eventually, breaches were announced so often that it ceased to qualify as breaking news. Then the trend shifted to such things as hacktivism and the rise of cloud insecurity. The one constant along the way has been the challenge of regulatory compliance, from HIPAA to Sarbanes-Oxley and PCI DSS.
But in more recent years, especially the last two or three, I've seen nothing new. It's the same old threats and the same old technological and cultural challenges.
Gone are the days when I attended security conferences in hopes of catching a new trend. As I see it, we keep coming to these events in hopes of finding some new morsel of information on how to deal a little more effectively with the same old stuff.
Sometimes fresh insight comes our way. Sometimes we walk away with more questions than we started with.
Will some major shift take place in the next couple of years? Perhaps.
For now, I'm more interested in how we deal with the older problems that continue to vex us.