Blog Author
David Lacey's blog 
16-07-2009 18:47
Information security at the crossroads
I’m a great believer in looking ahead at new trends in security, as well as taking a step back and assessing what’s happening around us. It’s important to do this because information security is a subject that’s in constant flux, driven by an ever-changing threat and technology landscape. We all need to keep an eye on emerging problems and check that legacy solutions are still fit for purpose.
This year, we can see the convergence of several trends that are stretching our capability and thinking in new directions. Security is always a ‘catch-up’ function as the development of solutions lags behind the problem space. Unfortunately the lack of resources and proactive developments means that we’re falling further behind, and we might not get the resources needed to get back on top. Ruthless prioritisation will be needed to survive the emerging threat landscape. The question is what should we do within our limited capabilities?
The most visible tend is the impact of the recession, which has caused a good deal of inertia with budgets slashed and projects canned, amid a wave of restructuring that’s taken the wind out of the sails of anyone with a spark of initiative. Big programmes are out of fashion. Consolidation is the best strategy, at least for the moment.
And consolidation takes a number of forms. We can also expect more mergers of functions, such as the trend to join up information and physical security, though the relationship is often uncomfortable. Physical security is a part of information security. Yet information security is also a part of physical security. Which is broader? The answer is both and neither. Business priorities are what count. And this time it’s information security that’s coming out on top. It’s a different perspective from the post 9/11 climate when physical security threats suddenly hit the management agenda.
We also have the vendor community working hard to transform the marketing pitch around their products to fall in line with the latest fashions. Last year everything became a ‘data leakage prevention’ product. This year it’s all about ‘cloud computing’. This is an important new area to get right, but we’re still a long way from understanding the risks and filling in the solution space. Securing the cloud will run and run, however, and get bigger as it dawns on enterprises that they’re losing control of their data, in an increasingly risky world in which everyone’s out to get their hands on it. But we can’t simply sit back and wait for someone else to solve the problems. Organisations will face different sets of problems. We all need to start now on developing a security strategy for cloud computing.
There are also problems that we’ve failed to fix properly in the past such as identity management and security awareness. They remain firmly in the front of our minds but generally fall into the ‘too difficult to fix’ category. But these problems will increase in importance over the next few years. In particular the need to do more to address the human factor is becoming clearer to executive boards and business managers. We can no longer keep putting it off. The problem is that few enterprises have a decent budget and a clear idea of precisely what’s needed. You don’t need to spend a fortune, however, to get results. A lot can be done with smart, low cost interventions.
Data breaches seem to be having less impact these days because they’re becoming all too familiar, and we now have well-rehearsed excuses for why they happen. I’ve been forecasting for many years that the next big incidents will be attacks on data integrity. It's a widespread exposure but it’s been sitting below our radar for many years. Check out my Infosecurity podcast interview for more on this.
Putting these trends together, it’s clear that ‘more of the same’ won’t do for the future. We need a new strategy, new priorities, new defences and far greater leverage for tackling enterprise-wide (or even community-wide) problems. We need a new direction for security. And the current period of consolidation is the best time to create the necessary road map.
Permalink:
http://www.infosecurityadviser.com/view_message?id=128
Delicious
Digg
Reddit
Facebook
StumbleUponComments:
I attend several DIPCOG / CIPCOG events throughout the year where public sector Information Security Pros mingle with many of the top companies in the defence security sphere. There has been a detectable change within this community over the last two years. The HMRC Leak and the Data Handling Review have meant that those at the policy making level are driving the information security agenda forward. However, in my experience those lower down the public sector food chain are still not informed and taking the issue as seriously as they should. There is in fact an alarming disconnect here.
I believe that for many information security is a disabler rather than an enabler. eg. it means you can't work from home or use your memory stick to conveniently transfer files. So greater security will arrive principally because it is mandated from above (eg. by government) and its implementation will be very slow. In line with the new policies I refer to above, tighter security will be required by government when granting large IT contracts to major private companies. The contractors to those major companies will, in turn, have to tighten their own systems in order to get a share of the business. It will, I think, be a trickle down effect.
In sum, I don't feel that we are at a crossroads but rather slowly manoeuvring from the slow lane over to the middle one. Its going to be a long journey.
Is Information Security really at the crossroads?Playing "catch-up" was always something that infosec function had to face. I think the major focus should be to make sure information security is present on proactive rather then reactive basis. This is well before any serious monay is spend on protective/control technologies.In that sense we are at crossroads - whether we link to the top business management and participate in strategy and tactics development (business enablers) or stay as a mere IT support (perceived as business showstoppers). Such dramatic change of mindset for many organisations requires full support and drive from the business executive levels. Most companies see Information Security as an IT rather than business function and reporting lines reflect that well. This is the mindset that needs to change if information assets (which clearly is business owned information) are to be adequately protected. What to do during the recession then, when no money and no resources are available? In my opinion it's best to take a top-down approach. Review and adjust the current organisational structure, policies, standards - to refresh the framework to be wrapped around core business of the company. Show the direct link between security and business, present clear business cases with good benefit/loss analysis. From my experience reworking the "basics" using existing manpower doesn't require huge budgets to be secured. This could well be detached from big change programmes of ground-level technology to make it managable in current economic climate. Changes to appropriate technical controls should be funded and in scope with the main technology change. Once the real business level link is established and relevance seen by the business leaders, it will be much easier to secure funding for lager scale security focused improvements.Consolidation with physical security? Not necessairly the only way as there are also other business functions: governance, risk, compliance, corporate security etc. All these are relevant.David mentioned human factor being important. I would only emphasise that. What is needed is organisation wide awareness programme, but even more importantly clear accountability definition. In one of the world's lagest corporations the catchy infosec marketing phrase was "Information Security - Everyone's Responsibility". Who really is this everyone? In real life it means "not my" - so it must be clearly communicated that accountability and responsibility for protection of information is expected from every single employee - at all levels. Only then educate staff on "how".Lastly I also agree with David's position on data breaches - yes, they are becoming more common. What makes them ignored is the lack of clearly defined accountability, responsibility and the proper consequence management rather than just raising numbers.New direction then? Absolutely. Moving away from IT focus and getting close to the business.