Information security requires an approach that involves people, process and technology. But, while we have made great strides in technological advancements in information security, security culture for many organizations remains in a state of stasis.
For enterprises to achieve the level of information security needed for today’s world, major changes to culture and process must be addressed.
Modern businesses have digital adversaries; that is a fact we, as information security professionals, face every day. If you are like most infosecurity professionals I know, the challenges you face can seem insurmountable: keeping apprised of new threats, finding security vulnerabilities in systems, hiring and training new staff and getting the buy-in of C-level execs who never seem to “get it.”
With the rapidly changing threats we now face, businesses need new approaches to information security and professionals that can think strategically about big picture challenges while having the tactical acumen and agility to respond to threats.
A New World of Security Threats
Too many enterprises rest too easy at night thinking that their information is secure, and not enough time preparing for the reality: facing an information security crisis is only a matter of when, no longer if. This is the first change we must address.
Today, enterprises must assume an attack will occur and assume you won’t catch it when it does. A 2015 Ponemon Institute report found that financial firms took, on average, 98 days to detect a breach and retail stores up to 197 days. Given that the financial industry tends to be ahead of the pack in security practices, these statistics are not encouraging.
Another recent change is the increasing storage of non-proprietary data. For instance, online retailers routinely keep credit card information on file for consumer convenience. This means that enterprises hold data valuable to attackers and their owners, but relatively expendable to the enterprise.
The owners of this data have little say in how their data is being managed, and put huge trust in enterprises that it will be kept secure. The security models that look only at protecting value to the business, yet ignoring these “silent stakeholders,” is harming both the consumer and their confidence and must be addressed.
Cultural Shifts Need to be Addressed
Many information security professionals would assert that these industry-wide trends are obvious. Maybe, but enterprises have still been slow to adapt to this new world. That needs to take priority today.
To start, enterprises must create comprehensive security strategies that account for all aspects of an organization. Just like enterprises maintain crisis plans in the event of physical disaster, so too must enterprises create and maintain crisis plans for their information systems.
However, the policy-focused approach to information security is only one part. Policy creation and implementation is too slow a process for the modern pace of information security. Today, the security problem is best tackled at the operational level with the people who are running systems and networks for enterprises on a day-to-day basis. Businesses need professionals who can take big-picture outlooks of security on the enterprise level and have the skills and knowledge to assess information and make intelligent, strategic and agile defense decisions.
Finally, and perhaps most importantly, studies repeatedly show that people – living, breathing, human network “endpoints” – remain a consistent challenge that must be addressed. Your workforce may unwittingly be letting intruders into your networks via phishing emails or exposing data to the outside world through use of shadow IT – tools like personal cloud storage – as convenient ways of taking work home. These innocent actions put information at significant risk as they open new doors for intrusion into enterprise data.
As such, CIOs and CISOs can no longer afford to consider only their IT systems; they need to lead the development of good security awareness among the entire workforce, lest continue exposing the enterprise to unnecessary risk. Empowering organizations to foster such cultures of “security hygiene” is important.
New programs are beginning to surface to teach information security professionals to address these needed changes. Champlain College’s Master of Science in Information Security Operations (MSISO), developed in response to industry demand, marries the strategic thinking and tactical agility needed in today’s information security climate and marks a real shift in security mindset that is just now beginning to percolate through the industry.
Information security has long been an arms race. As the community develops better ways to defend against attacks, adversaries find better ways to get around those defenses. The time has come for CISOs, CIOs, and other information security officers to take a refreshed look at their security cultures and assess whether or not current operations across the entire enterprise – not merely policy – are sufficient in today’s new world.