Reputational damage is top of mind for information security leaders again. According to a global survey of more than 7,500 security professionals, 71 per cent said that avoiding harm to brand was their top priority, ahead of other hot topics, such as maintaining customer data privacy, controlling identity theft, and protection against breaches of laws and regulations. The study was conducted by researcher Frost & Sullivan on behalf of security professional certification group ISC2.
Howard Schmidt, a former White House security advisor, said the future of security lies in it being baked into systems, networks and processes. “Security is starting to be built into the infrastructure,” he said. “Before, it was like buying a car and having to buy the brakes separately. We’ve truly passed a tipping point.”
Schmidt added that consolidation in the sector was aiding that process with deals in the last couple of years, such as EMC buying RSA Security and Symantec combining with Veritas.
He also empathised with those who call for the restoration of a unit dedicated to tackling computer crime. “There’s this question of ‘should hi-tech be subsumed into some other organisation?’ Although I agree that consolidation is good within the industry, I think it’s a bit premature for public agencies. They should have a concentrated unit because otherwise they have to compete for resources.”
Louis Gamon, regional director of the Information Systems Security Association, was critical of the government and “how little it pays any attention to cyber crime. There’s a belief that it’s small beer, peanuts, but we’re losing more money in e-crime than to the drugs cartels.”
However, Schmidt cautioned that definitions of the nature of computer “crime” need care. “The perception is sometimes one of someone with sunglasses directing things from a Rolls-Royce when you use the term ‘organised crime’,” he said, noting that often groups of miscreants have no association with Mafia-type organisations or terrorism.
ISC2 board director Richard Nealon said security chiefs need increasingly to play a role in broader risk management, and applauded the role of regulations in mandating more secure regimes at organisations. “Today, risk management is part of the common body of knowledge if you’re setting up a company,” he said. “In the same way you put in accounting to manage finance, you put in security to manage risk. What the regulations have done is wonderful in terms of foreseeing the sub-prime crisis and the banks’ exposure. Sarbanes-Oxley made us document our processes and made them more robust and manageable. I thought it would be easy and very wooly, but it was painful. The silver lining is that it has turned out to be a great advantage to be SOX-compliant.”
Nealon said he is observing a rise in slicker, more professional, threats to security. “Until now, we’ve led a blessed life and our biggest threat was people who didn’t have a lot of malice, motivation, technology or education. They were script kiddies or enthusiasts, and most of the threats came from that vector. Now there is motivation and there is money to be made. They’ll produce a business plan, seek funding, allocate resources, and they basically do it for profit motives. They’re very sophisticated so, as an industry collectively, and as a business uniquely, we need to put controls in place to ensure we don’t become real targets.”
Nealon also said that social networking threats remain a concern. “Security used to be mainly technology then process, so you would have a technology control such as anti-virus or intrusion-detection, and a process such as patching and updating. Now it’s the people aspect of the job that is hardest to control. Look at what Kevin Mitnick [notorious US cyber criminal] did. He was very charming and compromised systems through people.”
ISC2 board director and consultant Peter Berlich said that although the profile of security is much greater than previously, the roles of chief security officers were still dependent on the nature of employers and industries. “If you’re business is making soap, do you need to be on the board?” he quipped.