Businesses should not rely on historical trends alone in setting IT security strategies and policies, according to the Information Security Forum (ISF).
"Instead, information security professionals need to question security-as-usual," Mark Chaplin, ISF principal research analyst, told a briefing hosted by BT's IT services division, BT Engage IT.
Best practice calls for continual reassessment of the risks to an organisation's data assets from threats outside the organisation as well as within, he said.
An important part of this is keeping up with change; looking at political, legal, economic, social and technological changes taking place, and then making the necessary changes to an organisation's security strategy based on how these changes may give rise to information security threats, said Chaplin.
"Establish your organisation's [security] intelligence needs; build a network to help you understand the threats, and become a super-connector between technology and security," he said.
According to Chaplin, the best way for information security professionals to ensure they are able to meet the threats facing the organisations they support is to question their beliefs, plan for uncertainty and prepare for change.
The ISF's annual Threat Horizon report, he said, analyses the combined input from members, industry and experts to help organisations identify what threats may affect them and plan their information security strategies accordingly.