Information security threats should be understood and addressed as a whole, not in a standalone manner.
For example, a major challenge is to address the numerous technical threats which are becoming more sophisticated, organised and targeted. While man-in-the-browser attacks are becoming more popular, mobile and social networking-related threats are becoming more sophisticated.
These threats should be considered in combination with those that depend on the human factor, and should be guided by a concise framework based on international practices.
These threats are magnified due to the economic crisis, for example. If an organisation is reducing personnel cost, then segregation of duties may be a challenge, since some critical roles may be assigned to the same person.
Overall, the most critical challenge is to be able to see the whole picture, understand the business needs of the organisation and find solutions to address them. The question is how?
Choose the appropriate framework
International experience as depicted in standards, frameworks and good practices can be a great tool in the hands of a security professional.
Following the latest trends is crucial to be able to prevent problems that others are already facing.
COBIT 5 for information security, published in June 2012, provides the latest business thinking in information security, giving the tools for gaining a holistic view and binding information security activities with the strategic goals of an enterprise.
Effective risk assessment will identify the security needs of an enterprise.
In addition to technology and processes, an enterprise should focus on the human factor, culture as well as the societal aspect.
At the same time, security opinions around new models such as the cloud should be made more precise. For example, if an enterprise is planning to innovate through the adoption of cloud services, the perception of the cloud being insecure may act as an impeding factor. A cloud offering, however, may include security services that are far more effective than those already in place within the enterprise, since a cloud provider may be in a position to implement more expensive frameworks by sharing the cost between its clients.
There is a requirement for any business choosing cloud services to fully understand its current security level and make a comparison with the cloud.
Focus on culture, help the business innovate
It is generally the case that in any company culture, the more restrictions you apply, the less you promote innovation.
Innovation requires a certain amount of freedom; however, this needs to be outlined and the limits carefully delineated.
There are many ways to implement innovative strategies. For example, if your sales teams are using mobile technologies for communicating with the office while they are on the road, you should research the type of controls which they would use with the least resistance.
At the same time, an appropriate awareness programme should explain that following and proving security in practice makes the enterprise look more trusted to potential clients, helping the sales team achieve its goals.
Be prepared, new trends may be unstoppable
Looking into this example in a wider manner, in the early days of the bring-your-own-device (BYOD) trend, most IT security departments considered the technology far too insecure to use, attempting to prohibit it. They eventually realised that it is a law of physics that water will find its own level, accepting that BYOD was there and they should find ways to enable it through IT security controls.
The same applies nowadays with jail-broken/rooted devices. While a corporate policy may officially prohibit their use, an enterprise should be prepared for jail-broken devices that cannot be identified, taking into account that this is an emerging trend. Having controls in place against new trends does not mean an enterprise is secure. Continuous monitoring and acceptance of reality, rather than creating a perception of security, is a more effective approach.
Information security departments need to be aware of what their employees are up to and what is actually happening on the network. ISACA’s COBIT 5 is an innovative framework that can make security an intrinsic part of an enterprise, so that no unexpected events can surprise you. As an innovator, you will be ahead of – not behind – the safe adoption curve.
Christos Dimitriadis is international vice-president of ISACA.
This was first published in October 2012