What does 2010 hold for us infosec types?

I would like to see some of the following happening in the new year in Australian organisations in order for them to address key risk areas:

Application Security programs

• Implementing trust but verify gates into the SDLC for security risk assessments, requirement documentation, static source code analysis, functional and vulnerability testing
• Risk based testing schedules for applications in production that test the key controls in the applications (i.e. test critical apps in a detailed manner each release/year, with a rolling schedule of vulnerability testing for low criticality apps)

Tactical Security Infrastructure projects

• Large scale Data Leakage Prevention (DLP) deployments with associated business process remediation
• Virtualisation and rationalisation of perimeter security infrastructure
• Logging Monitoring and Reporting programs with integrity monitoring implementation and enablement of logging in end devices and configuration of alerts on central monitoring software.

( I doubt organisations will be kicking off large difficult projects such as identity & access management projects next year due to the after effects of the GFC and a hesitancy to launch projects that won't have a "quick win")

Security Management initiatives

• furthering development of good asset management, change and release management processes so that the outputs can be used to drive appsec programs and vulnerability management processes.
• pragmatic Information Asset Classification and Labelling (which could be facilitated by DLP used to discover information assets)
• Security awareness and induction training

What I suspect I will see is the following:

• DLP product sales that expect rollout and management by BAU resources forgetting that DLP will identify broken business processes and systems that need to be remediated and that well organised support mechanisms will be requried to prevent disruption to one off business processes
• the compliance driven annual penetration test will now involve web application security assessment of a sample application bundled in as an optional extra
• writing of security policies only to satisfy audit findings that are destined to become shelfware due to a lip service approach to security
• refreshes of end of life perimeter security infrastructure forced by capacity driven outages and a lack of vendor and system integrator support
• purely top down risk management initiatives that do not progress beyond the generic due to a lack of expertise amongst those performing the risk assessment

Any thoughts from out there in the blogosphere and twitterverse?