/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsMUMBAI, INDIA: Steve Durbin, Global Vice President of Information Security Forum Ltd talks to Pankaj Maru of CyberMedia News on the importance of building a resilience cyber security framework for organisations and enterprises to lower the risk and impact of unforeseen threats. Also Durbin explains the emerging threats caused by the concept of BYOD, IT consumerisations, enhancement of IT security framework and about the role of Information Security Forum (ISF).
CIOL: From ISF perspective which are the key emerging threats faced by organizations and enterprises world over in today's time?
SD: As the future is uncertain, organizations must prepare for the unpredictable so they have the resilience to withstand unforeseen, high impact events. A forward looking stance increases organizational agility and resilience. Cybercrime, along with the increase in online causes (hacktivism), the increase in cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of under investment in security
departments world over can all combine to cause the perfect threat storm.
Organizations that reverse stress test by identifying what the business relies on most (organizational assets, external dependencies for example) will be well placed to quantify the business case to invest in resilience and therefore minimise the impact of the unforeseen.
CIOL: In one of the ISF report, even consumarization of devices or technology is being seen as growing threat for IT. Can you brief how consumarization is the cause of concern in terms of proposing threats to IT?
SD: The number of smart and connected devices is rising sharply. 64 million tablets were sold in 2011 (16% of PC sales) and Gartner forecasts this to grow fivefold to 326 million by 2015 (61% of the number of PCs). Disparate mobile devices are present across many organisations, creating more risk. The combination of their ubiquity, the predominance of two systems (Apple’s iOS and Google’s Android) and the treasure trove of data they contain has made it worthwhile for criminals to write malicious software for these devices.
There is also a continued conflict between security restrictions and ease of use. Users won’t be satisfied with just contacts, calendars and emails; they want access to more critical business applications and the sensitive data they contain. The problem isn’t easily solved. The rapid introduction of a variety of devices could leave security vendors playing catch-up for some time to come.
CIOL: Even the latest trend of BYOD concept across organizations is been seen an IT threat. Can you
explain a bit how BYOD is threat to IT?
SD: Organizations are facing a growing set of challenges as employees increasingly select and use tablets and smartphones as well as laptops, to perform their work. The rise of the ‘company car’ IT scheme (‘pick any of the following — you pay if you want something higher performance’) — also known as Bring Your Own Device - means that information will need to be secured across many more platforms that are not wholly under the direct control of the organisation.
A key challenge is that many of the most popular consumer devices were not designed from the start as business tools and do not offer levels of security comparable to current desktop and laptop computers. What is more, the way such devices are used blurs the line between personal and business usage and behavior. Among the potential risks to the organisation are misuse of the device itself, external exploitation of software vulnerabilities and the deployment of poorly tested, unreliable business apps — all of which opens up new routes for data loss, another way for an organisation’s reputation to be damaged.
Q: While most large enterprises and organizations to an extent have an IT security framework in place based on traditional approach or scenario but with the new emerging security threats, in your view how can the traditional security framework changed that is more relevant with the changing time and technology; and also it doesn't add financial burden to any organization?
SD: In terms of governance, there is a view that information security is 10 — 15 years behind IT, who themselves are 10 — 15 years behind corporate governance. As the requirement to protect information becomes more stringent, the scale, complexity and sophistication of IT-related attacks on enterprises have increased. US Federal agencies reported more than 40,000 security incidents that placed sensitive information at risk during 2010 – a 650% increase compared to the previous five years. The Verizon 2011 Data Breach Investigations Report reported that data losses in 2011
were at the second highest level since recording began in 2004 with a 31% rise in breaches caused
by hacking and a 20% increase in those involving malware.
Enterprises are attacked regularly using techniques including hacking, malware and social engineering, designed to maliciously acquire information or damage enterprise assets. The same enterprises also have to deal with the consequences of errors or accidents leading to corruption or disclosure of information. Against this backdrop, boards and stakeholders need assurance that information risk is being addressed and that legal and regulatory requirements for information protection are being met in a structured, efficient and consistent manner.
CIOL: Can you explain about the role played by ISF and what is its mission?
SD: Founded in 1989, the ISF is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security and developing best practice methodologies, processes and solutions that meet the business needs of its members. ISF members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework,
which ensures that members adopt leading-edge information security strategies and solutions. And by working together, members avoid the major expenditure required to reach the same goals on their own.