IT Security and Risk Management: An overview

IT Security and Risk Management: An overview

Summary: Traditional network and endpoint defence tools are necessary but no longer sufficient to defeat today's increasingly sophisticated cyberattacks. We outline the scale of the problem, and examine some next-generation solutions.



Cybersecurity is obviously vital in today's hyper-connected world, but there's a balance to be struck between maintaining organisations' digital defences and allowing them to go about their business without undue hindrance. That said, it's clear that new 'next-generation' approaches are required as organisations become more mobile, more social, more reliant on cloud services and less focused on the Windows platform, and threats become more complex and multi-faceted.

Looking beyond the immediate security threats to businesses and their customers, it's also clear that digital innovation will increase the attack surface for cybercriminals, which in turn will demand forward planning and vigilance from security professionals. A recent survey from Ernst & Young (EY) asked respondents about their familiarity with a range of existing, new and emerging technologies, their capability to address associated security issues, and the importance they placed on the different technologies:

Source: Under Cyber Attack: EY's Global Information Security Survey 2013 (Ernst & Young, 2013)

Although there's an expected correlation between familiarity, confidence and importance, it's worth noting that the rankings (40-70 percent) for current technologies such as smartphones and tablets, web applications and social media are arguably not as high as they should be, and that emerging technologies such as big data, 'bring your own' cloud, the internet of things, digital money and cyber havens have very low rankings (<40 percent). This will require attention if cybercriminals are not to be presented with new opportunities for mischief.

Unfortunately, as in many areas of IT, there's a shortage of suitably skilled security professionals. In EY's above-mentioned survey, for example, 50 percent of respondents cite a lack of skilled resources as a barrier to value creation, while 31 percent feel that executive-level awareness and support is lacking.

FireEye's Enrique Salem echoes these findings: "I think there's a lack of security professionals, and this is a big issue globally — the threats have become more complex, so you need more focus and expertise." Salem also believes that the role of chief information security officer (CISO) needs a boost: "They [CISOs] absolutely need more visibility: a lot of regulations are coming out to make it mandatory for public companies that if you have a breach, you have to disclose it, so the audit committees of the board are going to want lots of information about what's happening. The role of the CISO will have to be very visible — not just to internal constituents, but externally as well."

Current working practices and the evolving digital landscape make it impossible for organisations to adopt a fortress mentality. Employees routinely use mobile devices to access social networks and 'bring your own' cloud services, increasingly on non-Windows platforms — all of which makes it easier for cybercriminals to penetrate enterprise and other networks. Next-generation cyberdefences, as outlined here, will help, but developments such as the internet of things will vastly expand the global attack surface. The cybersecurity arms race continues, and the stakes are getting higher.

Topics: IT Security in the Snowden Era, Security


Charles has been in tech publishing since the late 1980s, starting with Reed's Practical Computing, then moving to Ziff-Davis to help launch the UK version of PC Magazine in 1992. ZDNet came looking for a Reviews Editor in 2000, and he's been here ever since.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The importance of password security

    Having good security policy and enforcing the policy is important to maintain good security in data center. However, with more and more powerful tools for debugging application issues, those tools could also be used by internal malicious person to steal your secret passwords or passphrases when you enter them, so unless you only use software that can help you to detect the threat, you can't be sure that the secret is not leaked and still safe.
    On UNIX/Linux systems, internal malicious person can use system call tracer, Oracle dtrace, to steal your password, and also can steal your password by just reading from your tty device when you enter the password.
    So, if NSA got one of your UNIX/Linux machine's root password, even without backdoor on the other machine, when someone tries to ssh to it, NSA can use those system tools or ways to steal the authentication credencial, gains access to the other machine.
    Should you want to secure your UNIX/Linux systems, you should better check the demos at and see the case studies there.
  • Era IT Blog

    "Thanks for your nice post . I hope I will see this type of post again in your blog"

    Security is a great challenge in the field of technology. It should be improved more.