Challenge #1: The Recognized Impact of a Security BreachThe seemingly endless news cycle of data breaches has alerted organizations, including executive and board management, to the importance of security and the fear they might be next. Last year, over 82 percent of respondents to a Tripwire survey thought it was likely their organization would experience a breach. It's not surprising then that more than three quarters (78 percent) of boards are concerned with computer security today, according to a joint study conducted by ISACA and RSA. This heightened attention is due, in part, to the costs of computer crime, which the Center for Strategic and International Studies estimated to be around $445 billion annually. Unfortunately, that total is expected to increase each year as organizations process and store more information, and as cyber-crime becomes more pervasive and of higher impact. Cyber-crime continues to escalate in frequency, impact and sophistication and threatens enterprises regardless of size and sector. A data breach or intrusion can cause an organization to lose customers, revenue, and reputational value, experience loss of operational continuity and question the integrity of its data. For some businesses, those losses would range from costly to downright irreversible.
Challenge #2: The Skills GapOne of the contributing and elevating factors to rising breach costs is the ongoing InfoSec skills gap. In the ISACA/RSA study I mentioned above, 52.44 percent of respondents felt that less than a quarter of their organizations' employees are qualified for their positions. Those respondents also identified security practitioners' ability to understand the business as the largest skills gap. This problem poses a serious risk to an organization. If security practioners don't fully understand the nature of their business, security and business personnel will fail to see how each asset is relevant to the support of an organization's mission. That means they won't grasp the relative business importance of protecting each asset, which will hamper their ability to reduce threats and mitigate risks. And, while skilled professionals might be in high demand these days, there simply aren't enough InfoSec folks to go around. A 2014 study estimated that though there was a global need for as many 4.25 million security professionals, only 2.25 million practitioners were currently engaged in the field. The skills gap poses a double-risk to organizations. Not only are information security practitioners in short supply, but skilled personnel are even rarer. Each business needs to address this hiring and skills challenge head-on if they're to shore up their data security.
Challenge #3: The Explosive Growth in EndpointsLong ago network designers pondered the prospect of toasters on Ethernet. As entertaining as that notion was at the time, technology has now demonstrated that just about everything is now, or shortly will be, connected, accessible, serviced and controlled from the network. This explosion of connected devices and assets introduces an incremental scaling problem that dwarfs most of our earlier security and compliance models and predictions, toasters notwithstanding. Now more than ever, it's imperative that we have educated, skilled security personnel who can safeguard the modern IT environment's diverse array of endpoints at the scale we see now, and will see in the future. This wasn't as great of a problem back in 1992, when IT professionals could use antivirus software to protect PCs from most digital threats. But now some 22.9 billion endpoints are up and running on organizations' networks, and according to a Cisco report, that number is expected to double by 2020. The effort needed to protect so many devices can drive up security operations costs and stretch any organization's ability to make sure each device is compliant with industry standards.
Challenge #4: The Digital-Physical ConvergenceThe number of endpoints are proliferating across all sectors of the economy, including financial services, retail, food and beverage, industrial, energy, oil/gas, automotive, transportation and utilities companies. These organizations are responsible for maintaining critical national infrastructure including transportation systems, power plants and transmission systems, durable goods and food manufacturing and processing and distribution facilities, which means that any threat to their endpoints could potentially disrupt the economy or cause harm, including physical harm, to citizens. In the event that an industrial organization becomes aware of a vulnerability in Industrial Control Systems (ICS), they will likely apply countermeasures, perform hardware repairs and make sure there are no software conflicts before taking any further action. This is because hardware issues in industrial control systems are significant; they can cause power outages, reduced industrial output, and other adverse downstream effects in a production system that is highly optimized and has limited tolerance for disruption. Meanwhile, enterprises are most concerned with privacy and ensuring a set of rules limiting unprivileged users' access to information. They dedicate much of their information security programs to information confidentiality in order to protect against a breach. These different IT and OT priorities were once isolated, yet in light of the Internet of Things (IoT) and the Industrial Internet of Things (IIoT), we're beginning to see a convergence where enterprise and industrial teams must work together to streamline their services. It stands to good reason they should also align on the protection of critical infrastructure. Going forward, companies will need to consider systems and all endpoints in IT, IoT/IIoT as they balance their priorities and explore how they can leverage safety, a common-ground objective for all types organizations, in order to forge productive partnerships.
Challenge #5: Security and Technology Is Changing RapidlyAs the digital-physical convergence illustrates, threats do not apply to organizations uniformly. Security takes on different forms and dimensions from one business to another, which means "security-in-a-box" solutions may be part of the answer, but rarely are the complete answer to keeping systems and data safe. Security has to evolve to meet today’s sophisticated threats. The solutions we used last year, or the year before, need to be re-assessed, relative to their current value proposition. Some of those technologies and vendor partnerships will transcend into the future intact and/or with improved value proposition(s). Others will not fare as well, and will need to change and adapt (some radically so) if they are to offer value now and into the future, and survive. We’re already seeing seismic shifts now in the vendor community; vendors long considered leaders in the space have lost their standing, and new vendors are taking their place. In any case, solutions need to adapt to accommodate the current and future needs of an organization. Collectively, security solutions need to make it easier for companies commonly share threat intelligence with each other and other industry members. Of course, these changes can make it difficult for organizations to invest in security. Navigating all the different packages and configuration options can get confusing, after all. As a result, organizations need to develop a rich, contextual picture outlining what they want in terms of security. This should involve identifying the critical assets that need the most protection as well as which technologies, people, and other resources necessary to help get the job done. One crucial, or requisite, point of reference is the security framework. Most organizations should adopt one, just as all commercial and public organizations observe standard financial reporting frameworks and protocols. Any one of the publically available security frameworks such as NIST, Gartner’s PPDR, CIAS, ISO27001 etc. can work. Once a framework is selected, it will need to be calibrated and tuned to the specific requirements of the organization and its commercial eco-system.. Adoption of the selected framework will require a good plan, strong investment (and possibly re-allocation of funds), good partners, execution, and time.
ConclusionThough some might like to think otherwise, these five challenges – affectionately referred to as “the five monkeys” - aren't going away anytime soon. With that in mind, organizations need to adopt a forward looking plan that takes these factors into account. They need to prepare to manage and mitigate the escalating security, compliance an operational risks these trends will engender. This process should include:
- Accurate assessment of the business’s needs relative to IT and IoT/IIoT, using a risk-based orientation.
- Adoption and application of an appropriate standards-based framework.
- Creation or adjustment of your security and compliance architecture.
- Selection of strategic vendors/partners whose technical abilities, strategic vision, and commercial strength and viability, will support your architecture and whose core capabilities address the challenges these trends present to your organization.
- Development and phased implementation and deployment of your security and compliance plan, prioritized by business risk.
- Implementation or expansion of your continuous monitoring, response and calibration programs.