Home » Identity & Access » Identity Management

Q&A

Three Big Trends in Information Security: Past, Present and Future

A 20+ year industry veteran, Joanne Moretti of CA Inc., gives us her take on the biggest drivers in IT security and looks not only to the past, but predicts what CSOs and CIOs are heading for in the future

By Joan Goodchild, Senior Editor

September 23, 2008 — CSO —

As a senior vice president in charge of industry analyst relations with CA Inc., Joanne Moretti is required to always have her finger on the pulse of information security. Moretti, who was recently named a "Woman of Influence" at the Executive Women's Forum, has been working in IT and security for more than 20 years. Her career as a security practitioner began as an ACF2 programmer on mainframes. She joined CA as a technical consultant and eventually worked her way up to general manager of sales, first with CA Canada, and then for CA's US West business. She assumed her current IAR role earlier this year. Moretti recently sat down with CSO Senior Editor Joan Goodchild to talk about what she's seen CSOs and CIOs struggle with over the years. She also forecasts pain points that are coming down the line.

Where did CA see the most growth in IT security in the last decade?
It's funny, because things often emerge as trends and then people jump on the bandwagon. Then they fizzle out and the real problem begins. So, it's almost like software is often a bit ahead of its time.

I think the biggest trend I saw emerge in recent years was identity management and role-based management. That's a good example of something that went through the cycle where there was a big spike in industry, then it tapered off, then compliance came around with Sarbanes-Oxley and it picked up again. And the big driver behind identity management is becoming more efficient.

I think there are three real big reasons why people focus on identity management and automated provision. The first is cost. Companies often have a security group managing an Oracle environment, and a separate group managing a Unix environment, as well as separate security groups for Mainframe and SAP environments. That literally happens, even today. There are all these pockets of good work going on, but it's not connected and there are too many of them. CIOs and CSOs are faced with the dilemma of all these resources and people managing security. But a lot of resources not well utilized.

Another big reason for focusing on identity management is risk. And then, thirdly, is compliance. Compliance put the icing on cake, so to speak. When the regulations started coming out, when SOX became big thing, then it got to be a real pain. People couldn't identify who was doing what on the system to their auditors. So there were audits findings and risk all over the place and compliance regulations that needed to be followed. So those are three key drivers: cost, risk, and now, compliance. That's what drove identity management through its big spurt.