The Information Security Forum (ISF), an independent, non-profit
organization, dedicated to identifying and benchmarking good practices in information security, has come up with a 'Threat Horizon 2012' report that details ten future scenarios identifying the key areas of risk to business both within and beyond the information security remit. ISF has exclusively shared the details of this report with SearchSecurity.in. Overall, about two hundred member representatives contributed their thoughts and ideas to this project.
Rather than looking at information security risk purely from a technical standpoint, this report tries to offer a holistic view of threats to businesses and considers (PLEST framework) political, legal, economic, socio-cultural and technical macro-economic factors that will affect organizations in coming years. The 10 threat scenarios are mainly an outcome of broader risks like cultural changes, globalization and weakening infrastructure.
On being asked about the most critical threat to information security in India, the author of the report Andy Jones, CISSP, Principal Research Consultant, ISF, chooses 'contingency fails'. He explains, "Whilst under investment in critical national (and organizational) infrastructure is an issue for many countries and organizations, I believe that the competency that India has built in the outsourcing area makes it more vulnerable to outages in major infrastructural components – for example, the Internet." For an outsourcing company to be isolated or to suffer degraded global Internet connectivity is likely to be very damaging. He also cautions about a similar scenario that occurred two years ago when the main Internet pipe to the region was trawled upon and damaged.
Further sharing his observations on threats to information security in India, Jones says, "In this region, we saw more focus on the technical risks, rather than some of the softer cultural risks," The report also stresses that changes in cultural behavior coupled with higher adoption of technology has resulted in a changed attitude towards protecting information, especially among the generation that has grown up with the Internet. We are living in a world where social networking platforms are encouraging individuals to share as much personal information as possible while the authorities and governments are coming up with more and more stringent privacy protection laws.
Jones also pointed out that they found the interest in cloud issues is stronger in India than other regions. He also recommends certain actions against threats to information security in the cloud.
• Develop a security strategy for cloud computing and understand how existing identity and access mechanisms can be adopted for the cloud environment
• Understand disaster recovery in the cloud
• Establish criteria for what information can be placed in the cloud without falling foul of legal and regulatory obligations
• Draw up a contingency plan to retrench from the cloud if necessary
• Determine an information classification system, which you can use to communicate with cloud providers
The 'Threat Horizon 2012' not only identifies future threats to information security but also offers high level actions for organizations so as to prepare the groundwork through a proactive and strategic approach to risk management.