After more than 50 years of investment in information security it would seem reasonable to expect the IT community to be winning its perennial battle with hackers, crackers and the assorted other threats to the integrity of corporate data and systems. The reality, sadly, is very different.

Although studies suggest that familiar threats such as viruses and the teenage hacker are less potent than they used to be, in most other respects the IT security challenge is still expanding faster than many chief information officers (CISOs), or their allies in the information security industry, will publicly care to admit.

The fact is that as IT penetrates ever more deeply into the fabric of our personal and business lives, not only is the range of systems and data vulnerable to attack expanding, but the scale of the potential consequences of such attacks is increasing more quickly still.

[

Indeed, according to PricewaterhouseCoopers’ latest Information Security Breaches Survey, 92% of UK companies experienced an IT security incident of some kind in 2009: more than ever before. Worse still, PwC estimates that the total cost of IT security to the UK economy, already a staggering £5 billion in 2008, is set to double this year to more than £10 billion.

Where did it all go wrong? Some the reasons for today’s IT security crisis are already widely recognised. Too many organisations still pay too little regard to creating or enforcing information security policies, or to the staff education and training needed to make them work. Too many others fail to stay abreast of changing threat patterns and the shifting technological responses need to combat them. And, even at organisations that do prioritise and fully fund IT security, there are still always times when business fluidity is deemed more vital than systems security.

However, another reason for the continuing crisis in information security is much less widely recognised: the widening incompatibility between traditional, centralised IT security models, and the growing appetite for practically borderless interaction between the data and systems of organisations, their partners and their customers.

The Jericho Forum, an association of CISOs from global companies, was the first organisation to recognise this issue, and has done much to raise awareness of the need for “perimeter-less” information security among fellow information security professionals and security vendors. More recently, organisations such as PwC, have followed Jericho Forum’s lead, and called for the wider use of data-centric technologies like encryption, and federated ID management.

But, groups like Jericho Forum and PwC are facing an uphill battle. However much IT users and suppliers may agree with the theory of perimeter-less, data-centric security, in practice both communities are unlikely to greet the need for change with any great enthusiasm. Vendors, after all, have years of investment in perimeter-base security tools to protect, and users, particularly in these challenging economic times, will be reluctant to spend scarce resources on a new security infrastructure when there are plenty of other more productive projects they could invest in.

Projects, for instance, such as the creation of more seamless and flexible IT service infrastructure based on virtualisation and cloud computing technologies.

In fact, although virtualisation and cloud computing are still commonly regarded as trends that are only likely to add to the challenges faced information security professionals, the opposite may yet to prove to be the case.

Unlike today’s digital business environment, which obliges companies to share data and systems across a mish-mash of public and private services that rarely support common security technologies, or conform to a coherent set of information security policies, the next generation of cloud-based services may be very different.

Following on from the awareness raising efforts of groups such as the Jericho Forum, new bodies such as the Cloud Security Alliance have appeared that are working to create common codes of conduct and technology standards for creating secure cloud services. The CSA is still in its infancy, and like all industry associations and standards bodies, its capacity for creating useful working standards is always likely to lag behind the requirements of the industry that it is trying to serve.

Nevertheless, the fact the nascent cloud services industry has already produced an organisation dedicated to creating common security standards is a cause for celebration, because it means that the next generation of cloud-based IT systems may actually have security designed in from the outset. In the ongoing information security arms race, this may be a development that finally makes a real difference.