It's that time of the year again when information security predictions start pouring in. Many, if not most of them are pretty uninteresting since the world doesn't magically change with the new year. Predictions are also all over the place depending on who made the predictions and what they are selling.
My favorite is Information Security Forum's Threat Report, which is updated yearly and looks two years ahead. The report is mostly intended for business leaders and information security leaders (CSO, CRO, CISO - depending of your organization). I especially like that it's created via studying available research, interviewing experts and running several member workshops to discuss changes seen and expected in member organizations. The Executive Summary is available for download, the whole 50+ report is for members only. (Full disclosure: I'm a member of the ISF Executive Board).
Instead of making my own predictions - as if my 2010 predictions would need an update - I'm presenting how I see the current status of information security. By the way, in my vocabulary information security covers IT security, cyber security and digital security, if you fancy those terms.
User is not the weakest link
We humans are not rational decision makers who analyze pros and cons thoroughly. We mostly try to manage through the day (and IT challenges) with minimum effort, have lots of biases and are clever enough to go around (security) obstacles. It seems that often IT systems and applications are not built for humans. Since the artificial intelligence is not here quite yet, we still need to consider users as part of the solution and build people-friendly systems. Hence, I like the design thinking and service design approach - if only information security would be considered on those workshops.
Regular information security awareness training is required in order to promote secure behavior and build good security culture. We don't want our users to be clueless either. Also, I would recommend security practitioners to study behavioral economics and psychology.
Most of the information security is a byproduct of good IT governance
When you know and manage your IT assets properly and have basic information security tools and processes in place, you are in a pretty good shape already. Have a good architecture, know your assets, make proper installations, have rigorous change management process, make (and test) backups, patch your systems and keep user accounts up-to-date. You certainly need some security tools and processes: antivirus, firewalls, log collection and analysis for starters.On top of that there are no end of additional security tools and services which you may consider based on your threat and risk estimation. You have to know what you are protecting and against whom, right?
Most organizations have still lots to do with these basics. It's hard to protect something you don't know.
Information security is too important to be left just to information security experts
You may have started wondering where information security specialists are needed? Yes, all the basics shouldn't need any infosec experts. Architects, sysadmins and network admins worth their salt can manage most of it. Firewalls and VPNs are just network components, antivirus and log management something any sysadmin can handle.Information security specialists could be hired to promote security, evaluate risks, help with trickiest cases, tackle the challenges with new technology and keep the management aware of the information security status. Remember, however, that it's not the CISO or information security experts who secure the organization. Information security is part of everyone's daily work.
Many organizations have hired just one information security expert, call him CISO, and expect him/her to understand all of information security. That's impossible. Information security covers everything from cryptography to secure architecture to enterprise risk management. Can't expect one poor person to handle all of it. Think about categories: Manage - design - implement - evaluate. Different roles and skills are needed.
Evaluate your service providers information security promise and capabilities
More and more of ICT are acquired from different service or cloud providers. From information security perspective this is usually a good thing, since good security is a lifeblood for most service providers. You need to verify, though. Ask service providers to prove they capabilities. Security certifications, audit reports and documented security promise of the service is a good start for evaluation.Don't forget to have information security in the contracts as well. I recommend having your own security contract template ready and start negotiations with it. Be flexible, though. Usually it's better to allow service provider to follow its own standards and processes - just check that those are good enough for you. It's difficult to change the service provider processes - exceptions tend to be forgotten.
Go ahead with new technology, but understand your risks
There's a lot of technology innovation going on and of course business wants to follow trying out innovative ways to make use of new, often immature technology. However, the sad truth is that the innovation of information security tools and products has been and is falling behind.
An old infosec dog is learning new tricks - constantly
I regularly see articles and posts demanding that information security experts need to stop being naysayers. I wonder where they have found those old-school security guys who deny everything? In my (fairly wide) circles all my colleagues have been business-oriented and forward-looking for years. Maybe it's time for some business people to see the light and be more open-minded for security-enhancing suggestions? Information security is about enabling business and managing risk.Business buzzwords like agile, cloud, devops, experimentation, big data, design thinking, API-driven business and machine learning mean that there's no rest for information security experts either. We information security professionals must adapt on agility, insecurity, risk tolerance, openness, user oriented approach and continuous change.
In fact information security practitioners should embrace new technology and trends. Think how to use them for better security instead of trying to delay the inevitable.
It's software, stupid
Everything is running on software. Everything from critical infrastructure to cars and mobile phones. I'm amazed how weak the understanding of secure software development still is. It seems that many organizations are still relying on external audits after their software has been developed. Fixing bugs in production is 100x more expensive than in planning phase. This is age-old software development truth, but apparently not too much cared about. If you don't think security requirements already when sketching your software, you may burn your fingers, sooner or later.
CISO on the board - not just yet
There is more and more noise about bringing information security expertise on the company board or management team. Most of the noise is coming from the infosec people, of course. In my experience there are very few - shall I say forerunner organizations - which has raised information security leader on the top management.
In my mind being on the board is not mandatory in order to success as a information security leader. But it's mandatory to have regular dialogue with top management and business. Being at most one hop away from the CEO in the organizational structure is ideal.
