Who Decides How to Allot Infosec Funds?IT Security Investments Shouldn't be Call of IT Security Managers
A new report from the Information Security Forum highlights what many security professionals know: the threats to IT will intensify over the next two years. With the risk growing greater every day, the role of IT security professionals must change to improve the security of their organizations.
Steve Durbin, the forum's global vice president, says high-profile incidents can have a drastic impact on businesses that could influence brand, reputation and stock price. Realizing these realities, he says, IT security professionals need to adjust to new roles within the organization.
"Traditionally, information security professionals are used to working with the technology," Durbin says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
Now, IT security professionals need to fill the role of a consultant, gaining input from different business units, such as legal, public relations and human resources, in order to determine "how they can best deal with some of the potential threats that are out there," he says.
By working more collaboratively with the enterprise, more concise cybersecurity strategies can be implemented, Durbin says, such as developing acceptable usage policies to be signed by employees for the use of mobile devices.
With high-profile breaches and new regulations around privacy and security making the rounds in the United States and the European Union, security professionals need to begin building those opportunities. "Ultimately, it's going to take quite some time before all businesses are used to having that kind of joined-up approach," he says.
In the interview, Durbin discusses how:
- Regulatory push for transparency could increase the cyberthreat;
- Privacy protections could be in conflict with IT security;
- Organizations ill prepared for rapidly evolving technologies such as mobile, social media and cloud computing can handle new challenges.
Business growth strategist Durbin joined the Information Security Forum in 2009 after a three-year stint as chairman of the DigiWorld Institute, a British think tank compromised of telecommunications, media and IT leaders and regulators. Durbin also spent seven years at the IT advisory service Gartner, with his last assignment there as group vice president worldwide.
Described as an independent, not-for-profit organization members from some of the world's leading enterprises, the Information Security Forum investigates, clarifies and resolves key issues in information security and risk management, by developing best practice methodologies, processes and solutions.
ERIC CHABROW: The report points out the growing dangers in which different types of threats are being combined to create even more havoc for the IT security community. Please provide an example or two of these new inter-linked threats.
STEVE DURBIN: That's absolutely right. I think when we talk about the threats that enterprises need to be aware of, we put them into three blocks. We talk about external threats, we talk about regulation and we talk about internal threats. I think within each of those, if they were happening on their own the enterprise and the information security professionals would potentially be able to cope. But for instance, if we have a situation where cyber criminals determine that they're going to be hacking the enterprise - the enterprise perhaps has been suffering from a lack in critical investment over the last couple of years - then they're probably not going to be as able to deal with a potential breach or a potential hack, particularly as cybercriminals haven't been suffering from a downturn. They have been continuing to invest and information security departments, as we know from our members, have been suffering from a reduction perhaps in investment patterns. They're recovering from that, but it's going to take them more then 12 months to come back and I think that's the critical window ... that we're seeing at the moment.
Lack of Infosec Funding
CHABROW: If the organization doesn't have the money, what are they to do?
DURBIN: I think it's about aligning information security with the business. It's about sitting down and saying, "Look, there are probably 15 things that we should be doing, but we've only got sufficient funding to do three or four of them." That's not an information security professional's call. It's the business's job to determine how they're going to spend that money. It's the business's role to determine the risk profile that they wish to carry and to really decide with the security professional where they should be spending their time and the course of their hard-earned money.
CHABROW: Seems to be a simple case of information risk management or maybe corporate risk management.
DURBIN: That's absolutely right and I think it's one of those things that's very easy to say, and not so easy to do.
CHABROW: What should organizations do to make it easier to do?
DURBIN: I think it's about the information security professional performing just that role, the role of a professional, of a consultant if you like, and really getting together with the different business units, with the legal department, the PR department, the HR department and right away across the enterprise to determine how they can best deal with some of the potential threats that are out there, and then for the business to be working collaboratively to perhaps determine a cybersecurity strategy to implement across the business to get things like acceptable usage policies signed by employees for the use of mobile devices.
But it isn't just about the information security guys going out and doing this; it's about the business taking responsibility for working with them to combat what could be very significant impacts on brand, on reputation and of course on stock price.
Gaining Corporate Buy-In
CHABROW: In many organizations, rightly or wrongly, a lot of the information risk management is given to the IT security organization or the IT organization and as you'd pointed out, maybe they should involve people at all levels of the company. What do the IT security professionals need to do to persuade their bosses, who are non-tech people, to get more involved?
DURBIN: I think you've hit on a real challenge for them. Traditionally, information security professionals are used to working with the technology. They're perhaps not as well equipped as they might be to be able to speak the language of business, and there are a couple of things I think that are going on that are enabling that change.
First, we've seen some very high-profile breaches and hacks over the last 12 months. I think those affected continued, but that's beginning to focus the mind of the business on the fact that there's potentially a problem here.
The second component is regulation. We're seeing much more emphasis being placed on transparency. We're seeing here in the United States bills being introduced to the Senate that talk about privacy. Across in the European Union, we're seeing a move towards harmonization across all member states. So again, from the business standpoint, people are becoming much more aware of it.
So from the security professional's point-of-view, I think they need to build on those opportunities - if I could call them that - and really begin to articulate clearly to the business what they can do to help, and to begin those sorts of discussions. Ultimately, it's going to take quite some time before all businesses are used to having that kind of joined-up approach.
CHABROW: One of the findings that I found intriguing, as you pointed out in the report and you just mentioned, is that there's a movement toward more regulation, which in turn promotes more transparency. But transparency could make an organization's IT more vulnerable.
DURBIN: That's right. That's what we're saying. We're saying that with increased transparency there's a need for organizations to publicize what they're doing. That does potentially open up opportunities to weaknesses that could again potentially open up to cybercrime. So what can organizations do about that? Well, I think they need to look at it within the context of, "We have to be more transparent." What are the implications of that? What is it that we need to be doing in order to ensure that it's good transparency, as opposed to bad transparency? For me, there's no alternative. If you aren't transparent, I think a number of suppliers and customers will be saying, "Hey, why aren't you? Have you got something to hide?" It's a bit of a no-win situation on this one, and I think that's why we're saying that it's going to require quite an amount of focus, quite an amount of input gained from business and from information security in order to make sure that the picture that you're displaying to the outside world is favorable.
CHABROW: I see something similar when the report discusses privacy. It says a focus on privacy could distract from other security efforts. What do you mean by that? And to secure IT in the coming years, will organizations need to erode their stakeholders' privacy rights?
DURBIN: Privacy is a really interesting one and I think it plays back to one of the points we raised right at the beginning, which is lack of funding. As we look forward to see the way in which different statutes are being produced, there's going to be much more of a requirement on the part of the business to demonstrate clearly that they're operating within the legislation. I think that's certainly the move that the European Union is making by 2015 and certainly over here in the United States, some of the things that are referred here will mean that organizations are going to have to spend much more time and effort in terms of protecting data, that they're holding it securely, that they understand the use that they're making of that data and that they're compliant.
One of the big challenges I think for American corporations dealing in the European Union, for instance, is even if they don't have offices there, they're dealing with member states or companies within the member states, and they fall under the jurisdiction of the European Union Act that's being introduced. They have fairly draconian powers to implement penalties of up to two percent of annual global turnover. That's a significant number. I think we will see organizations having to make a decision as to how they're going to preserve privacy within these kinds of jurisdictions or perhaps we may see some simply deciding that they're going to opt down of operating in those countries.
CHABROW: Is there a problem that global organizations face in guaranteeing the privacy, as well as the security, in their attempts to meet a different approach to privacy in Europe than in the United States?
DURBIN: I think between the United States and Europe, we're moving towards much more alignment than perhaps we would see with say the United States and some of the Asian countries or some of the emerging countries - I'm thinking particularly here about the Brits. I think as far as we're concerned between the U.S. and Europe, I think there has been a lot of work that's being done to try to align those things. We haven't got it right on every occasion clearly, but I don't think you ever will. I think the point is that there's a commitment to making it work across those two areas and I think that the bigger issues are going to come outside of those land masses rather than between the U.S. and the European Union.
Keeping Up with New Technologies
CHABROW: One of the findings that I found most intriguing was that new technologies overwhelm organizations. The report says organizations that don't understand their dependence on technology may have a nasty surprise that leads them astray. Are technologies moving so rapidly that it's impossible for most IT organizations to keep up with them?
DURBIN: I think technology is moving at a feral pace, yes. I think that one of the big challenges for organizations really comes in with things like consumer devices in the workplace, because it isn't just about technology. It's about the way in which the Facebook generation is making use of that technology within the business environment. In a number of instances, we're falling back on perhaps the information security professional having to assume the role of a traffic cop in preventing people from doing things, and that really isn't good for business. It doesn't enable individuals to make the most use of the technology that they've got, and I think there's also impatience on the part of the Facebook generation because they're used to using these things to get the job done. Let's face it, there are significant benefits from being able to take advantage of mobile devices, from being able to take advantage of cloud-based services, from being able to take advantage of big data, but if you add all of those together, then that increases the burden on information security to get it right.
Threat Horizon 2014
CHABROW: Your report is entitled, "Threat Horizon 2014." How dire will the situation be in 2014, and do you see companies and governments being overwhelmed by meeting these IT security challenges we've been discussing?
DURBIN: We do call the report, "Threat Horizon 2014." It's an annual report. One of the things that we do every year is we ask our members whether or not we got it right, and I think the concerning thing - if I can put it that way - is that in a majority of cases our members tell us that we got the threats right, we got the timing wrong. By that I mean things happened more quickly then we said they were going to. So if we apply that factor up to the "Threat Horizon 2014" report, then I think some of the things we've just been discussing now are probably already happening in a number of organizations. That presents a big challenge because it's the speed at which these things are moving that really creates some of the biggest problems.
Any one of the threats we've talked about, an information security department could probably handle it if it were an isolated threat. But when they begin to combine and move at the speed that we're seeing, that's when the problems occur.
CHABROW: I guess to add to that is the threats that we're not aware of today that are going to be here in six months or a year.
DURBIN: That's absolutely right. This is looking out to say, "These are the things we know about, but the ones we don't know about - those are the ones that are really scary."