Information security is heading to a tipping point that will force a shift in focus to understand threats and their potential impact on business, says NTT Com Security.
“Security has got to evolve from putting constraints on people to enabling them to work in ways that are secure,” said Garry Sidaway, senior vice-president of security strategy at NTT Com Security.
He also believes the traditional approach of restricting employee's activities has also reinforced bad behaviour among enterprise employees.
“Security controls have taken away any sense of personal responsibility. Consequently, employees will do anything regardless of the risk if they can get away with it,” Sidaway told Computer Weekly.
For this reason, he believes there is also a need for a cultural change in many companies regarding security, so individuals are made aware of the risk and held accountable for their actions.
Sidaway believes that, when it comes to information security, more companies should follow the example of the petrochemical industry, where a risk assessment is made for everything.
“The cyber risks to the business should be clearly communicated to all employees in a way that is relevant to them and their role in the company.
“It is important to make it personal and to filter out the noise about cyber threats to avoid desensitising people,” he said.
Sidaway said organisations also need greater situation awareness through sharing information about the kinds of cyber attacks that are taking place.
More on threat data exchange
- Information sharing key to security, say European experts
- UK cyber threat sharing ahead of target, says Cert-UK
- East Midlands gets cyber threat sharing node
- UK government launches cyber threat data-sharing partnership
- GCHQ launches pilot to share cyber threat intelligence
- Threat info sharing tough, says RSA conference committee
- How to source cyber threat intelligence
- Does your SIEM integrate threat intelligence feeds?
- Threat intelligence and risk: Why cybersecurity hangs in the balance
A common challenge in exchanging threat data is the lack of a common standard format for data that is machine-readable and can be used and understood by all companies.
In preparation for sharing threat data more widely, Sidaway said the NTT Group is putting its house in order by developing a set of common terms for threat data exchange in the group.
“We now have a growing taxonomy for threat data to enable a consistent way of communicating across the group, which has already led to some good conversations internally,” said Sidaway.
“We are already in a much better position because we have a better understanding of what we can share and how,” he said.
The NTT Group is also talking to our technology partners to get a common understanding around threat data.
The group plans to build on this to extend it to membership of programmes like the UK government’s Cybersecurity Information Sharing Partnership (CISP).
According to Cert-UK, the CISP is growing well ahead of targets with more than 680 member organisations signed up to the free service since it was set up in March 2013.
Members are able to share, publically or anonymously, information on cyber incidents they are seeing to help them help themselves to protect against cyber threats.
“The CISP is now very much the situational awareness platform within Cert-UK, with more than 1,850 individuals on the system,” Cert-UK director Chris Gibson told Computer Weekly.