Managing Information Security in 2009
Since the middle of 2008, we have seen an increase in the types and complexity of information security attacks that organizations have been facing. The widespread worms of 2004 and 2005 gave way to the targeted attacks of 2006 and early 2007. Things quieted down in the latter portion of 2007, as the security industry was able to clamp down on a lot of the botnet activity that drove the targeted attacks.
Many factors, including better anti-spam solutions, improved operating systems capabilities, and better end-user awareness helped to contribute to the slightly lower levels of threats leading into early 2008.
There is another key factor, however, which is often ignored, or at the very least, not well understood. As Bruce Schneier aptly point out in “Beyond Fear”, information security is not something you win outright, but rather, it is all about mitigating ongoing risks. It is a persistent cat-n-mouse game between the protectors of the enterprise and the cyber underground.
As the good guys catch on to the techniques and approaches of the bad guys, and develop successful strategies to mitigate the risks that that have been unleashed in the wild, the bad guys regroup to develop new mechanisms for attaining their goals. Over the past 5 or 6 years, cyber terrorism has moved from being the realm of uncoordinated, poorly financed individuals driven largely by ego and a desire for notoriety, to being the purview of highly coordinated, well financed, (in some cases, government-sponsored) entities with complex financial and/or political motivations. And they are more than happy to keep the publicity down to a minimum if that will ensure that more people and organizations remain in a vulnerable state for a much longer period of time.
A recent SC Magazine article points out some of the issues that organizations will face in 2009, as they look to secure their technology infrastructure from the growing threats. The task will not be made easier by the expansion of remote employees who need to be connected to the network without restriction, nor by the convergence of voice and data networks via technologies such as VoIP.
Organizations that properly inventory the various technology assets within their enterprise, generate a risk profile for each asset or asset group based on its importance to the overall business, and then begin to develop a mitigation strategy based on those risk profiles will stand the greatest chance of avoiding catastrophic or embarrassing attacks to their business in 2009.
Those that just try to do a little of everything, without regard for business value or prioritization, will likely find themselves answering to key constituents such as clients, customers or various regulatory bodies, when they suffer one or more breaches.
It’s not a matter of if you get hit. It’s a matter of how soon you will be able to determine that you have been hit, and what steps you are already taking to mitigate the potential damage, and restore customer confidence.
If it hasn’t been made sufficiently clear already, Information Security is no longer merely a technology function – it is the work of the business on a whole – and requires proper support across all business units to be effective. It is more than just the cost of doing business: it is a key driver of business success moving forward.