What do you see as today's biggest information security threats?
Today’s biggest information security threats have not changed from yesterday or even last year. There are still attacks from organized groups, insider threats, intellectual property theft and the threat of a lone hacker. However I believe the largest problem is one of our own making, rather than that provided by the attacker. Companies are increasingly choosing to defend against security threats using the minimum security standards level dictated by one of the many compliance standards.
Compliance standards are important and do raise the base security level for those organizations that would otherwise not have a security policy in place. Non-compliance can also carry a significant financial or operational penalty within some industries, which means that organizations are highly motivated to achieve compliance. Additionally they provide mechanism for calculating a score, so that business leaders can see progress being made without having to see any of the detail. However compliance does not equal security; it only means you have met the specified standard.
To adequately fight the cyber war, security teams need to be versatile and adapt to new technologies and defend against the ever evolving arsenal that cyber criminals are able to deploy. To be compliant with a static set of security policy settings may be good enough for the risk managers, but it is simply not good enough to be secure.
This is not to say that compliance is a negative thing; it does mean that everyone is at least at a minimum security level. However I have often seen struggles within organizations to justify the expense of going further than those minimum levels, and as a result the biggest information security threat could be one that we have made for ourselves.
Based on your discussions with clients and peers, what are the most challenging aspects of managing information-related risks in the enterprise in a time where everyone's budgets are shrinking?
Just like with security threats of today, the problem of managing risks remains largely the same. The problem comes from identifying more cost effective solutions to achieve the same target and sometimes this means passing some of the burdens on to suppliers. Although risk management and security management are not the same, it is generally agreed that a multi-layered approach to system security is the best approach for both lowering risks and increasing system security. However the problem that emerges from this is that the more complex the defences, the more expensive and complex they become to manage.
Repeatedly surveys have shown that one of the biggest challenges for employers is the lack of experienced and qualified staff to manage all those defences, studies have shown that employing a manager in this area could significantly reduce cyber security related costs. In March 2011 the “Cost of Data Breach Study” found that US organizations which hired a chief information security officer with enterprise wide responsibility for data protection lowered the cost of the data breach by an average of 35% per compromised record (Symantec, 2011). The study averaged cyber breaches at 5.5 million, so the investment in a trained and experienced member of staff to manage security is easily justified.