Core CTO Ivan Arce has addressed the challenge of accurately predicting the future of IT risk management, and offered his best theories on how to do so, in a new blog post on

Our CTO and co-founder Ivan Arce is a very curious guy, and by curious I of course mean inquisitive, not strange, though my lack of sufficient Spanish speaking skills does lead to some moments when I wonder if he’s telling our fellow Argentinean colleagues that the marketing guy has said or done something of questionable logic again. All jokes aside, Ivan is truly a visionary when it comes to matters of IT security. I know that every marketing pro or company henchman is supposed to say these types of things about their executive leadership, but if you’ve read any of his blog posts here or over on, where he has been contributing on a semi-frequent basis, it’s clear that Ivan isn’t merely interested in selling licenses of CORE IMPACT or evangelizing for the broader adoption of penetration testing. The level of consideration that goes into his posts and the discussions they foster makes it obvious that in addition to his utter mastery of the English language, this is someone who has made contemplation of matters of IT security and risk management one of the central themes of his life, in addition to his day job.

Having now fully established my role as a shameless sycophant for one of our execs, I’d like to point you in the direction of his latest CSO “Attack Points” blog, which delves into the future of IT risk management and offers his opinion on why the annual slate of Q4 expert year-ahead IT security landscape predictions aren’t really all that useful in terms of predicting the future. CSO is also currently running a terrific Q&A with one of our star customers, Bob Maley, CISO for the Commonwealth of Pennsylvania, which details the state’s use of penetration testing as part of its comprehensive vulnerability management program. What follows is a partial excerpt of Ivan’s “The Future of Risk” blog on I encourage you to point your browsers over there to read the whole thing, as clearly, we over here at Core think that it’s pretty exciting and interesting analysis. So without further ado…. The Future of Risk (excerpted from

What may 2030 look like to the CISO or to the information security practitioner? What will be the prevalent form of Information Security Risk Management? Although I can’t provide definitive answers I do feel confident enough to share some thoughts and predictions knowing that it is unlikely that I’ll be made accountable for them in 20 years. While the exercise has little immediate pragmatic value it may be useful to foster longer term strategic thinking about the infosecurity community, the market and the evolution of threats and risk. Assuming that Moore’s Law still holds, by 2020 an off-the-shelf computer will provide more than 30 times more raw computing power than today’s price equivalent.

By 2030 the increase in computing power per system will be more than a thousand-fold with a similar increase in storage capacity and network bandwidth. These highly powerful systems (for today’s standards anyway) will be pervasively deployed across the more developed regions of globe using embedded software on mobile platforms. They will have the ability to aggregate their capacity and build ad-hoc networking on demand and to provide it as a commodity to various types of consumers ranging from individual users to large organizations. Such aggregation and acquisition of computing resources will be available to all infosecurity practitioners for both defensive and offensive purposes. Systematic discovery and exploitation of vulnerabilities will be commonly acknowledged and accepted as part of the cost of conducting business and individual social interaction. Distributed computing and distributed data storage will be a standard capability of even the simplest application rendering the distinction between data-at-rest and data-in-transit as irrelevant as the definition of a network perimeter. Building a one-to-one correspondence between data assets and computing resources will be impossible, building many-to-one mappings may not be useful at all or feasible in the time necessary to assess risk and deploy avoidance or mitigation mechanisms.

On demand real-time transferring of risk will thrive. In an environment of relative abundance of computing power, bandwidth and ubiquitous data, information security operations will be mostly focused on supporting continuous and intelligent acquisition and maintenance of the Quality of Computing Services capability, an organization’s ability to draw in real time aggregated computing power and data in an economically efficient manner from a multitude of seemingly opaque providers. While the distinction between data assets at rest or in transit may not be relevant and the attempt to enforce access control policy on them completely meaningless the protection of the intellectual property used to create Data Derivatives of second order (information differentials) and third order (information about information differentials) from suitable and readily available data and computing resources will be of greatest importance. In that context, any definition of Information Security Risk as the function of a set of threats, vulnerabilities and assets identifiable and quantifiable at given point in time will be either obsolete or severely limited. Today’s risk management tools based on (at best) simple linear regression models with additive risk calculations over that set will seem as rudimentary as using an abacus for financial forecasting. Click here to read the rest of Ivan’s blog on