If you were to ask me what I consider the biggest security threats to a large organisation are, then I would reply that it's two things: third parties and portable devices. We're asking more of both and we're trusting more of our private data to both as well. For instance, we might use third party data centers because of in-house space, security and systems management challenges. So, the business will research solutions, invite quotes, and choose it's service provider. At what point do we look at the vendor's security and what questions do we ask?
In my own organisation I've implemented a a vendor risk-assessment process that allows me to score based on a standard set of questions covering everything from connectivity to local security management. The process works well and puts me in a position where I can give a reasonably well judged assessment, based on a standard and repeatable process, to management.
Mobile devices are, as we are all aware, proliferating fast. We are now being overwhelmed with blackberries and laptops and smart-phones and USB thumb drives. Here, security awareness and education probably pay best dividends, but I've also been looking at numerous means of getting the data on those devices encrypted. In the near future, as described here virtualisation might be a solution for managing mobile device security.
Those are my top two concerns. How do they compare with yours? Anyone?...