Sergey Nivens - Fotolia
Emerging security technologies and cross-industry collaboration are key to security success going forward, according to a panel of information security professionals.
Just as emerging cloud and mobile technologies bring new security challenges, cloud and big data analysis are key to bolstering cyber security capability, the panel told the (ISC)2 Security Congress, Europe, the Middle East and Africa 2015 in Munich.
“Many businesses are failing to ensure their security technologies are aligned with the business, and that gap is where the exploits are happening and where attack prevention is not working as well as it should,” said Tamar Gamali, group chief information security officer, National Bank of Kuwait.
“Businesses need to shift their focus from prevention and invest in emerging technologies designed to improve visibility of what is happening across the entire corporate network and IT estate so that they are in a position to collect and analyse indicators of compromise,” he said.
In the light of the fact that traditional security technologies are no longer working, Gamali said businesses need to consider improving their ability to detect and respond to intrusions to help close the widening gap between the security threat and their defence capability.
“Cloud computing and big data analytics have the potential to greatly enhance both security monitoring and incident response capabilities,” he said.
In addition to security monitoring and analysis, the panel said organisations should be encrypting all sensitive data as part of a data-centric approach to security.
“Encryption is the only way for organisations to get control and be in a position to mitigate and ultimately accept risk,” said Frank Weisel, regional sales manager at Vormetric in Germany.
But the panel said security technologies and controls will never provide answers to all security challenges.
“Education and awareness of the importance of information security as well as the threats and risks is always going to be important,” said Markus Kluge, head of information security at Unwire in Denmark.
“But we should not only be looking at educating adults in the workplace. This is something that needs to be addressed early on in children as young as seven,” he said.
A change in attitude and approach
A change in approach and attitude by information security professionals and the industry as a whole is also important, the panel said.
“We should be making it as easy as possible for people do to their work in a secure way,” said David Jacoby, senior security researcher at Kaspersky Lab in Sweden.
“We should not expect users to remember and manage complex passwords, but instead provide easier ways to access data and services that are at the same time more secure than passwords.
“Information security professionals should also ensure they are following best practice, such as segmenting networks so that if there is a compromise, it can be contained easily,” he said.
Jacoby also called on organisations to document their risks and vulnerabilities to help penetration testers to focus on other areas to identify security gaps that were previously unknown.
“All too often, penetration test reports merely confirm what organisations already know, but fail to turn up potentially greater, more hidden risks that need immediate attention,” he said.
Data classification is another basic principle that many organisations are still not following, the panel said, which means they are unable to identify and locate their most important data assets easily.
Greater collaboration around threats
According to Vormetric, two-thirds of organisations do not classify their data and consequently do not have a good idea of what they need to protect or where their critical data is stored.
Jacoby said topping his wish list for the future of information security is greater collaboration around the threats being encountered by other organisations.
“If we are to succeed, everyone has got to work together to share experiences and learn from each other,” he said.
Gamali said collaboration around security issues is not only important among peers within each industry sector, but also across industry sectors.
The panel agreed that information sharing should include both successes and failures to help raise the security bar for all businesses.
Weisel said a framework of internationally accepted security regulations would be useful to ensure that best practices are enforced by everyone.
From a technology point of view, Kluge said some form of security-orientated artificial intelligence capability would be good to help organisations make the right decisions.
The panel also agreed that information security professionals should all work to change the perception of security as a cost and liability by demonstrating how it can support the business, cut costs and reduce business risk.