Opinion: Dealing with a changing threat landscape

The threat landscape in information security is in a constant state of flux, with new threats emerging and existing threats becoming ever more sophisticated,...

The threat landscape in information security is in a constant state of flux, with new threats emerging and existing threats becoming ever more sophisticated, write Steve Wright and Nick Frost.

At first sight, it might be fair to say there is nothing ground-breaking in this observation, as all security professionals have lived with this situation for decades. But many of the macro-environmental factors that often go unnoticed - such as political, legal, economic, socio-cultural and technical - have greater significance for the types of threat that challenge information security professionals today.

These factors range from the well-publicised, such as the rise in incidents related to organised crime and increasing signs of internal misuse of information by employees concerned with job security, to the less obvious, such as organisations outsourcing critical business services to companies that can help reduce costs but which may not always be able to provide the level of protection expected.

The question of what actions should organisations take requires an approach that can flex with this dynamic threat landscape while maintaining value to the business. There is no silver bullet (and never will be) to selecting controls to mitigate all information security-related threat types, but there are key areas of focus that organisations need to consider.

Get the basics right: adopt a risk-based approach to identifying critical information and select controls to help protect it; establish greater collaboration with the business; and create a more vigilant workforce. A tried and tested technique for greater collaboration with the business is to align the risks to the objectives of a business function. This makes it more meaningful to business owners and allows them to design a more effective risk treatment plan.

Enhance existing security controls: analyse event logs on critical systems; establish a responsive capability; do not place all your trust in preventative technologies; and embed security early on in the development lifecycle.

Adopt controls that may be seen as unconventional: test attack kits in quarantined environments; use specialist third parties to monitor hacking communities; and conduct background checks on key members of staff who "hold the keys to the kingdom". As Sun-tzu quoted, "Keep your friends close, but your enemies closer."

Steve Wright is senior manager at PricewaterhouseCoopers Security

Nick Frost is senior research consultant at the Information Security Forum

Read more on IT risk management