By Thor Olavsrud Mon, April 02, 2012
CIO—With an eye to the threat horizon several years out, organizations can no longer afford to leave responsibility for managing security risks at the door of the information security department. Instead, organizations must adopt a much more strategic and business-based approach to risk management, says Steve Durbin, global vice president of the Information Security Forum (ISF).
External Security Threats
- Cyber criminality will increase as the malspace matures. Organizations that commit cybercrime, espionage and other malevolent activity online have already achieved global scale and incredible sophistication and will continue to grow and develop in the coming years.
- The cyber arms race will lead to a cyber cold war. Nations are already in the process of developing more sophisticated ways to attack via cyberspace and will improve their capabilities in the coming years. Nations that haven’t already developed this capability will get programs under way. And businesses in the private sector shouldn’t assume they’ll be immune. The ISF predicts businesses will suffer collateral damage, especially as targets for espionage will include anyone whose intellectual property can turn a profit or confer an advantage.
- More causes will come online and activists will become more active in cyberspace. The ISF predicts anyone who is not already using the Internet to advance their cause will start doing so over the next two years, including customer affinity groups, community associations, terrorists, dictators, political parties, urban gangs and more. All of them will find inspiration in the examples of the Arab Spring, Occupy Wall Street and Wikileaks.
- Cyberspace will get physical. The Stuxnet computer worm that destroyed a number of uranium enriching centrifuges in Iran in 2010 was an early example of this trend, Durbin says. The ISF believes the increasing convergence of cyber and physical will lead to more attacks on physical systems, from attempts to turn off lights and climate control systems to disrupting manufacturing systems.
To prepare for these threats, the ISF recommends that organizations ensure that standard security measures are in place, and that they develop cyber resilience by establishing a cyber security governance function, timely attack intelligence gathering and sharing, a resilience assessment and adjustment capacity and a comprehensive response plan.
Regulatory ThreatsMalicious outsiders aren’t the only things organizations should be worrying about. The regulatory environment also bears watching. ISF predictions include the following:
To prepare for these threats, the ISF says organizations should amend their data protection frameworks and information management procedures to reflect legislative changes and review new requirements in detail to align privacy-related controls with other controls. The ISF also recommends joining and participating in industry and other associations to assess and influence policy.
- New requirements will expose weaknesses. The move toward transparency in security disclosures will publicize weaknesses. The ISF says organizations forced to report security risks may have as much to fear from customers and business partners as from hackers and regulators.
- A focus on privacy may be a distraction from other security efforts. New privacy requirements demanded by consumers, business customers and regulators will impose a heavy compliance burden, the ISF says. Organizations will have to decide whether to invest in the necessary security and legal controls, outsource or leave certain markets all together. The ISF notes organizations will also have to consider the message their actions send to customers.
Internal Security ThreatsThere are also internal issues to consider, both as a legacy of under-investment during the economic downturn and the blistering pace of technology evolution. The ISF predicts the following:
- Cost pressures will stifle security investment, harming the information security function’s capability to keep up. Even organizations that are once again investing in information security can’t correct a history of under-investment overnight. But cybercriminals have continued to invest in their capabilities throughout the downturn, and organizations can expect that it will be easier and less expensive for criminals to acquire the technology and services they need to perpetrate their crimes.
- Clouded understanding will lead to an outsourced mess. The ISF believes that continuing cost pressure will lead to a new digital divide that separates businesses into organizations that understand the marriage between IT and information security and organizations that don’t. It predicts leading organizations will appreciate the strategic value of channels, systems and information and will invest in those areas. Organizations that don’t get it will suffer competitive disadvantage and heightened risk of damaging incidents.
- New technologies will overwhelm. The ISF expects organizations to continue to rapidly adopt new technology. Along with the business benefits of doing so will come new vulnerabilities and methods of attack. Organizations must understand their dependence on technology or suffer a nasty surprise.
- The supply chain will spring a leak as the inside threat comes from outside. The ISF notes that a modern organization’s data is spread across many parties, leaving their data vulnerable to incidents that affect their suppliers. The ISF says these risks will increase as organizations further digitize their supply chains, outsource additional functions and rely on external advisors.
To prepare for these threats, the ISF recommends security professionals help senior management understand the value of information security. Organizations should adopt information security governance and integrate it with other risk and governance efforts within the organization. Businesses also need to understand their risk appetite and ensure the value of continuous security investment meets the business need and is adequate and well spent.Finally, enterprise also need someone to take ownership of coordinating the contracting and provisioning of business relationships, including outsourcers, offshorers, supply chain and cloud providers.Thor Olavsrud is a senior writer for CIO.com. Follow him @ThorOlavsrud.