With an eye to the threat horizon several years out, organisations can no longer afford to leave responsibility for managing security risks at the door of the information security department. Instead, organisations must adopt a much more strategic and business-based approach to risk management, says Steve Durbin, global vice president of the Information Security Forum (ISF).
"While we're now emerging from the economic downturn, certainly here in the US at least, there has been reduced investment across the enterprise and in information security in particular," Durbin says. "Enterprises are now playing catch up. Cybercrime, the malspace, those guys didn't suffer from the downturn.
"While individual threats will continue to pose a risk, there is even more danger when they combine, such as when organised criminals adopt techniques developed by online activists," he added. "Traditional risk management is insufficiently agile to deal with the potential impacts from activity in cyberspace. While executives recognise the benefits and opportunities cyberspace offers, their organisations must extend risk management to become more resilient, based on a foundation of preparedness."
The ISF is a nonprofit association that researches and analyses security and risk management issues on behalf of its members, many of whom are counted among the Fortune Global 500 and Fortune Global 1000. The ISF recently released Threat Horizon 2014, the latest in an annual series of Threat Horizon reports that forecasts the changing nature of the information security landscape. The ISF has predicted that both the range and complexity of information security threats will increase significantly over the next two years, and organisations must prepare now.
Durbin notes that security is no longer just a matter of protecting data and IP. Data breaches can have a material impact on brand and reputation - and ultimately stock price - Durbin says, making security a top-level matter for the business as a whole.
The report identifies three primary drivers of risk that organizations should focus upon over the next two years.
External security threats
External threats will remain a top consideration and Durbin predicts the threat will evolve as a result of the increasing sophistication of cybercrime, state-sponsored espionage, activism's shift online and attacks on systems that affect the physical world, including industrial control systems. The ISF predicts the following:
Cyber criminality will increase as the malspace matures. Organisations that commit cybercrime, espionage and other malevolent activity online have already achieved global scale and incredible sophistication and will continue to grow and develop in the coming years.
The cyber arms race will lead to a cyber cold war. Nations are already in the process of developing more sophisticated ways to attack via cyberspace and will improve their capabilities in the coming years. Nations that haven't already developed this capability will get programmes under way. And businesses in the private sector shouldn't assume they'll be immune. The ISF predicts businesses will suffer collateral damage, especially as targets for espionage will include anyone whose intellectual property can turn a profit or confer an advantage.
More causes will come online and activists will become more active in cyberspace. The ISF predicts anyone who is not already using the internet to advance their cause will start doing so over the next two years, including customer affinity groups, community associations, terrorists, dictators, political parties, urban gangs and more. All of them will find inspiration in the examples of the Arab Spring, Occupy Wall Street and Wikileaks.
Cyberspace will get physical. The Stuxnet computer worm that destroyed a number of uranium enriching centrifuges in Iran in 2010 was an early example of this trend, Durbin says. The ISF believes the increasing convergence of cyber and physical will lead to more attacks on physical systems, from attempts to turn off lights and climate control systems to disrupting manufacturing systems.
To prepare for these threats, the ISF recommends that organisations ensure that standard security measures are in place, and that they develop cyber resilience by establishing a cyber security governance function, timely attack intelligence gathering and sharing, a resilience assessment and adjustment capacity and a comprehensive response plan.
Malicious outsiders aren't the only things organisations should be worrying about. The regulatory environment also bears watching. ISF predictions include the following:
New requirements will expose weaknesses. The move toward transparency in security disclosures will publicise weaknesses. The ISF says organisations forced to report security risks may have as much to fear from customers and business partners as from hackers and regulators.
A focus on privacy may be a distraction from other security efforts. New privacy requirements demanded by consumers, business customers and regulators will impose a heavy compliance burden, the ISF says. Organisations will have to decide whether to invest in the necessary security and legal controls, outsource or leave certain markets all together. The ISF notes organisations will also have to consider the message their actions send to customers.
To prepare for these threats, the ISF says organisations should amend their data protection frameworks and information management procedures to reflect legislative changes and review new requirements in detail to align privacy-related controls with other controls. The ISF also recommends joining and participating in industry and other associations to assess and influence policy.
Internal security threats
There are also internal issues to consider, both as a legacy of under-investment during the economic downturn and the blistering pace of technology evolution. The ISF predicts the following:
Cost pressures will stifle security investment, harming the information security function's capability to keep up. Even organisations that are once again investing in information security can't correct a history of under-investment overnight. But cybercriminals have continued to invest in their capabilities throughout the downturn, and organisations can expect that it will be easier and less expensive for criminals to acquire the technology and services they need to perpetrate their crimes.
Clouded understanding will lead to an outsourced mess. The ISF believes that continuing cost pressure will lead to a new digital divide that separates businesses into organisations that understand the marriage between IT and information security and organisations that don't. It predicts leading organisations will appreciate the strategic value of channels, systems and information and will invest in those areas. Organisations that don't get it will suffer competitive disadvantage and heightened risk of damaging incidents.
New technologies will overwhelm. The ISF expects organisations to continue to rapidly adopt new technology. Along with the business benefits of doing so will come new vulnerabilities and methods of attack. Organisations must understand their dependence on technology or suffer a nasty surprise.
The supply chain will spring a leak as the inside threat comes from outside. The ISF notes that a modern organisation's data is spread across many parties, leaving their data vulnerable to incidents that affect their suppliers. The ISF says these risks will increase as organisations further digitise their supply chains, outsource additional functions and rely on external advisors.
To prepare for these threats, the ISF recommends security professionals help senior management understand the value of information security. Organisations should adopt information security governance and integrate it with other risk and governance efforts within the organisation. Businesses also need to understand their risk appetite and ensure the value of continuous security investment meets the business need and is adequate and well spent.
Finally, enterprise also need someone to take ownership of coordinating the contracting and provisioning of business relationships, including outsourcers, offshorers, supply chain and cloud providers.