Broader view needed to tackle security threats

To make positive contribution to business, IT security professionals must weigh global issues to effectively gauge business risks and align security posture, advises consultant.
Written by Vivian Yeo, Contributor

SINGAPORE--Businesses, more than ever, need to take a big-picture view of global issues in order to understand business risks and effectively boost their information security posture, according to a security consultant.

Adrian Davis, senior research consultant at the Information Security Forum (ISF), explained that, oftentimes, IT and information security is "all about patching, building ever-higher firewalls and installing more and more tools" but this is too reactive and narrow a view.

In an interview Tuesday with ZDNet Asia, Davis said: "To really make a positive contribution to the business, information security and information risk professionals need to be thinking above that technology layer.

"They need to understand the technology, but they need to be thinking...about the whole [spectrum] right across people, process and technology," said the consultant, who was in town as a speaker at the SecureAsia@Singapore 2010 conference.

The ISF publishes an annual report that predicts forward-looking scenarios which could pose information security risks to the business. The latest report, released in May, gathered information and feedback from over 400 individuals and organizations including members of the 300-strong ISF community, field experts, futurologists and economic bodies such as the World Economic Forum.

The report highlighted broad issues that defined information security threats, namely, infrastructure weakness, cultural change and globalization.

According to the ISF, there is not enough investment in infrastructure in some parts of the world, both at the national and organization level. This indicates that IT is poorly positioned to support evolving technologies and user consumption of such technologies.

"We think we all live in a broadband-enabled world--we don't," said Davis, who is contracted to the London-based ISF from PricewaterhouseCoopers in the United Kingdom. "In many places in the world, access is severely restricted. And if you do have access, the pipes are very small--4Mbps or 8Mbps access at home is very limited."

Evolving cultures also signal a shift in the way companies manage their business. One aspect is changing workforce attitudes, Davis noted, pointing increasing number of strikes in China and graduates in India expecting more sophisticated jobs.

In addition, globalization brings about its own set of challenges, he said. The world is "flat" from an IT perspective, but not from a legal, cultural and societal perspective, he noted. Davis added that there is often tension between the ease of globalization and the difficulties brought about by local perspectives.

The Indians, for example, are now outsourcing to China and are themselves now facing many of the problems the Western world faced when it outsourced to India around data privacy, contracts, law and intellectual property, he explained.

Integrity, mobile workforce a worry
Globally, three scenarios will impact organizations most over the next two years, according to Davis. Data integrity, he noted, is becoming a serious challenge with the growing amount of digital information and availability of the data in different locations.

"If you can attack the right data and change its integrity, you can really hold the company ransom," he said.

Another trend businesses should watch carefully is the green movement, he noted. According to the ISF report, efforts to reduce carbon footprint have led to significant growth in home and remote working, which security systems have not scaled to accommodate. This could result in unintended disclosure of corporate data and inability to meet compliance regulations, he warned.

The increasing reliance of the global workforce on mobile devices such as smartphones also carries security implications, added Davis. This issue will become more evident as some 500 million mobile users, particularly in Africa, are added in the next four to five years.

At the same time, the mobile phone will increasingly become an electronic wallet for payments, which makes it more lucrative for cybercriminals to attack, he said.

SMBs to gain from MNC-type cloud security
The ISF report also offers some takeaways for small and midsize enterprises (SMEs).

The possibility of contingency failure, for instance, due to poor resiliency is a scenario that could potentially impact SMEs more than larger organizations, said Davis. He noted that smaller companies typically lack good backup, business continuity and disaster recovery plans compared to their larger counterparts, which have multiple data centers and backup facilities.

Any outage could spell the end of a smaller business, he pointed out.

But at least one prediction has the opposite effect on SMEs. In its report, ISF called for enterprises to develop strategies for cloud computing that tie in security and compliance, as the business benefits of the technology have resulted in companies taking shortcuts and disregarding the need for security.

The move to cloud computing, however, could in fact improve the security posture of SMBs, said Davis.

"In the future, cloud providers will have to show they can provide the kind of security wanted by MNCs," he explained, adding that these vendors are now working to achieve these standards.

"Because they'll be trying to meet the exacting standards of multinationals, SMEs can only benefit...[they] will be able to buy into MNC-type security."

Editorial standards