As the threats continue to escalate, having the capacity for intelligent risk analysis has never been more relevant. This is especially true as the economic climate continues to be unstable - though the economics of crime remain certain.
Here are four resolutions every business must make for 2016:
Ensure you know your information asset landscape
It behoves all professionals with responsibility for both information and technology to arm themselves with a greater understanding of what is required to embed security from the outset. This means that there must be more focus on information, and less on “cyber”.
This is not easy, given the history that many are working with. The threat is being realised within cyber space, but the risks are coming from all domains: people, process, technology, and physical. Professionals know this.
Ensure you know the potential impact of threats to those information assets
Without having full knowledge of your information assets – i.e., without knowing what is important to your organisation and what could happen if that information fell into the wrong hands – you are causing a level of blindness that in and of itself creates risk(s) and ensures that you are not providing truthful reporting.
Stop taking responsibility for solving all things “security” related – it’s a team sport!
Security is everyone’s responsibility – and everyone needs a lot more understanding! For example, procurement need to understand the implications of the deals being undertaken, as do the legal department. They shouldn’t be looking to the security community to educate them on matters of Information based legislation – they should be able to keep up with the law themselves.
HR also needs to be much more engaged in disciplining employees that behave badly in relation to security issues. They must support the need for good security behaviour as an active element of annual appraisal processes.
IT also need to be factoring in safety and security within all change management and future development instead of leaving security until the end. None of this is rocket science or new.
Stop focusing on only the cyber domain
Finally, the security industry itself needs to look deep into its soul and reflect on the ethics of selling pipe dreams of layer upon layer of defence over known insecure systems. In this system, the real incentive is not to fix our problems, as that would mean clients wouldn’t need to buy any more solutions. With the increase of the “internet of things”, this approach is going to embarrass us all.
By Andrea Simmons, information security expert and lecturer at the Global Institute of Cyber, Intelligence & Security (GICIS)