With an eye to the threat horizon several years out, organizations can no longer afford to leave responsibility for managing security risks at the door of the information security department. Instead, organizations must adopt a much more strategic and business-based approach to risk management, says Steve Durbin, global vice president of the Information Security Forum (ISF).
"While we're now emerging from the economic downturn, certainly here in the U.S. at least, there has been reduced investment across the enterprise and in information security in particular," Durbin says. "Enterprises are now playing catch up. Cybercrime, the malspace, those guys didn't suffer from the downturn."
"While individual threats will continue to pose a risk, there is even more danger when they combine, such as when organized criminals adopt techniques developed by online activists," he adds. "Traditional risk management is insufficiently agile to deal with the potential impacts from activity in cyberspace. While executives recognize the benefits and opportunities cyberspace offers, their organizations must extend risk management to become more resilient, based on a foundation of preparedness."
The ISF is a nonprofit association that researches and analyzes security and risk management issues on behalf of its members, many of whom are counted among the Fortune Global 500 and Fortune Global 1000. The ISF recently released Threat Horizon 2014, the latest in an annual series of Threat Horizon reports that forecasts the changing nature of the information security landscape. The ISF has predicted that both the range and complexity of information security threats will increase significantly over the next two years, and organizations must prepare now.
Durbin notes that security is no longer just a matter of protecting data and IP. Data breaches can have a material impact on brand and reputation--and ultimately stock price--Durbin says, making security a top-level matter for the business as a whole.
The report identifies three primary drivers of risk that organizations should focus upon over the next two years.
External Security Threats
External threats will remain a top consideration and Durbin predicts the threat will evolve as a result of the increasing sophistication of cybercrime, state-sponsored espionage, activism's shift online and attacks on systems that affect the physical world, including industrial control systems. The ISF predicts the following:
Cyber criminality will increase as the malspace matures. Organizations that commit cybercrime, espionage and other malevolent activity online have already achieved global scale and incredible sophistication and will continue to grow and develop in the coming years.
The cyber arms race will lead to a cyber cold war. Nations are already in the process of developing more sophisticated ways to attack via cyberspace and will improve their capabilities in the coming years. Nations that haven't already developed this capability will get programs under way. And businesses in the private sector shouldn't assume they'll be immune. The ISF predicts businesses will suffer collateral damage, especially as targets for espionage will include anyone whose intellectual property can turn a profit or confer an advantage.
More causes will come online and activists will become more active in cyberspace. The ISF predicts anyone who is not already using the Internet to advance their cause will start doing so over the next two years, including customer affinity groups, community associations, terrorists, dictators, political parties, urban gangs and more. All of them will find inspiration in the examples of the Arab Spring, Occupy Wall Street and Wikileaks.
Cyberspace will get physical. The Stuxnet computer worm that destroyed a number of uranium enriching centrifuges in Iran in 2010 was an early example of this trend, Durbin says. The ISF believes the increasing convergence of cyber and physical will lead to more attacks on physical systems, from attempts to turn off lights and climate control systems to disrupting manufacturing systems.
To prepare for these threats, the ISF recommends that organizations ensure that standard security measures are in place, and that they develop cyber resilience by establishing a cyber security governance function, timely attack intelligence gathering and sharing, a resilience assessment and adjustment capacity and a comprehensive response plan.
Regulatory Threats
Malicious outsiders aren't the only things organizations should be worrying about. The regulatory environment also bears watching. ISF predictions include the following:
New requirements will expose weaknesses. The move toward transparency in security disclosures will publicize weaknesses. The ISF says organizations forced to report security risks may have as much to fear from customers and business partners as from hackers and regulators.
A focus on privacy may be a distraction from other security efforts. New privacy requirements demanded by consumers, business customers and regulators will impose a heavy compliance burden, the ISF says. Organizations will have to decide whether to invest in the necessary security and legal controls, outsource or leave certain markets all together. The ISF notes organizations will also have to consider the message their actions send to customers.
To prepare for these threats, the ISF says organizations should amend their data protection frameworks and information management procedures to reflect legislative changes and review new requirements in detail to align privacy-related controls with other controls. The ISF also recommends joining and participating in industry and other associations to assess and influence policy.
Internal Security Threats
There are also internal issues to consider, both as a legacy of under-investment during the economic downturn and the blistering pace of technology evolution. The ISF predicts the following:
Cost pressures will stifle security investment, harming the information security function's capability to keep up. Even organizations that are once again investing in information security can't correct a history of under-investment overnight. But cybercriminals have continued to invest in their capabilities throughout the downturn, and organizations can expect that it will be easier and less expensive for criminals to acquire the technology and services they need to perpetrate their crimes.
Clouded understanding will lead to an outsourced mess. The ISF believes that continuing cost pressure will lead to a new digital divide that separates businesses into organizations that understand the marriage between IT and information security and organizations that don't. It predicts leading organizations will appreciate the strategic value of channels, systems and information and will invest in those areas. Organizations that don't get it will suffer competitive disadvantage and heightened risk of damaging incidents.
New technologies will overwhelm. The ISF expects organizations to continue to rapidly adopt new technology. Along with the business benefits of doing so will come new vulnerabilities and methods of attack. Organizations must understand their dependence on technology or suffer a nasty surprise.
The supply chain will spring a leak as the inside threat comes from outside. The ISF notes that a modern organization's data is spread across many parties, leaving their data vulnerable to incidents that affect their suppliers. The ISF says these risks will increase as organizations further digitize their supply chains, outsource additional functions and rely on external advisors.
To prepare for these threats, the ISF recommends security professionals help senior management understand the value of information security. Organizations should adopt information security governance and integrate it with other risk and governance efforts within the organization. Businesses also need to understand their risk appetite and ensure the value of continuous security investment meets the business need and is adequate and well spent.
Finally, enterprise also need someone to take ownership of coordinating the contracting and provisioning of business relationships, including outsourcers, offshorers, supply chain and cloud providers.
Thor Olavsrud is a senior writer for CIO.com. Follow him @ThorOlavsrud.