A group of chief security and risk officers identified Big Data analytics, cloud computing, enterprise mobility and social media as disruptive innovations transforming enterprise IT.
Organizations will need to adapt their information security programs in 2013 to adapt to these changes, they said.
Big Data, cloud computing, mobile, and social media will have a big impact on information security programs, revealing significant and growing gaps, including a lack of business skills, relationships, supply chain management, and tech-savvy action plans, the Security for Business Innovation Council said in its latest report released Jan. 3. The Council consists of senior executives from 19 major companies, such as AstraZeneca, Coca-Cola, eBay, FedEx, Intel, T-Mobile, and Walmart. SBIC is an industry initiative sponsored by RSA.
"The gaps must be addressed in order for information-security teams to keep pace with their organizations’ technology aspirations," SBIC wrote in the report.
SBIC outlined four strategies, boosting risk and business skills, courting middle management, tackling IT supply chain issues, and building action plans, to help organizations adapt their information security programs. What was noteworthy about the report was the amount of detail the group provided for each strategy, Eddie Schwartz, chief information security officer at RSA, told SecurityWeek.
"People were getting really specific" on how to deal with these disruptive technologies, Schwartz said.
For example, people have been discussing the security implications of cloud computing for a while now, but the Council didn't just say it was important to have cloud security. The report outlined some of the areas to focus on, such as security controls in virtualized environments, encryption products to protect data, and vendor assessment and management.
As part of the "tech-savvy action plans" strategy, SBIC identified nine action items organizations should adopt to handle the risks posed by Big Data, cloud computing and social media. SBIC recommended looking at its previous report on mobility for suggestions on handling mobile security issues.
Some of the suggestions were very basic, such as creating Facebook and Twitter accounts for the company's leadership so that other people can't create fake accounts, sharing cloud vendor assessments with trusted partners, or adopting data-centric security so that data is protected regardless of where it is. Others were a little bit more complex, such as using Governance, Risk, Compliance (GRC) platforms for continuous monitoring of cloud environments, access control by tracking types and levels of data requests and queries, and monitoring social media for hijacking, malware, and mis-representation of the company.
The report provided concrete suggestions on what organizations can do to make sure they are keeping up with the changes to the IT environment. While it is important to get buy-in for security initiatives from senior management and the board of directors, organizations need to involve middle managers, Schwartz said. The changing cyber-threat landscape and increasing regulations on how data is protected means the leadership generally consider security a priority, with CISOs playing a more visible role.
"At most organizations, the C-suite 'gets it' but security teams now face resistance from middle managers who don't want to expend their resources on security," SBIC said in the report.
However, middle managers usually are not on board yet. They are looking at specific timelines and have budgetary constraints. "Adding security doesn't fit into their objectives," the report said. Security teams need to build relationships with middle managers so that security becomes everyone's concern.
Middle managers "may be a harder nut to crack than the C-suite," SBIC said.
One way to really get middle managers on-board is to get involved in the early stages of a project, Schwartz said. He cited an example where the security team got involved in the organization's big data project from the beginning and worked with business to understand how the collected data could be used to support other business areas as well as security initiatives. A Big Data project could help drive the company's anti-fraud efforts, for example.
"Every aspect of big data has a security interest," Schwartz said. Along with courting middle managers, it was important to close the skills gap, Schwartz said. Security teams need risk management and business skills.
"Teams have long lobbied to be perceived as business enablers not inhibitors. Now that many are, they don’t have the right skills," SBIC said in the report.
Security-professionals aren't always able to "bring stats to the table," Schwartz said. They need to be able to do functional analysis such as performing cost-benefit analysis and calculating return on investment (ROI). If they can show business the quantitative and qualitative benefits of security initiatives, it "can go a long way to bring business on board," Schwartz said.
It's not necessary to just have security experts on the team, Schwartz pointed out. People with quantitative and strong analysis backgrounds can find suspicious patterns in Big Data just as well, if not better, than the security experts, he said.
Just as IT teams have expanded to include non-traditional roles to add legal experts and analysts, security can add big data experts, financial analysts, and others to close the skills gap, Schwartz said.
In the previous SBIC report, the Council noted a shift towards mobile computing, and that was repeated in this report. Organizations need to prepare themselves for the fact that the majority of their users would be using mobile devices to access their sites and services, not desktops or laptops.
Enterprise IT teams have three distinct challenges regarding mobility: there are mobile devices with little to no security protections, users who will make bad decisions, and there are still not enough products on the market to manage mobile devices effectively, Schwartz said, calling it a "perfect storm."
There need to be products for apps management, mobile device management, ways to ensure data is secured properly on the mobile devices, and putting in data segregation controls, said Schwartz. While mobile malware is a problem, Schwartz said it was only one small aspect of mobile security. These devices pose yet another point of entry into the corporate network and can potentially have sensitive data saved on them. These are risks enterprise IT has to evaluate, Schwartz said.
Social media risks are tied with the growth of mobile computing, and it changes how consumers interact with the organization, Schwartz said. This means there are opportunities for misinformation to spread and scams, all of which can cause brand damage. Organizations needs to think about managing and monitoring social media, such as what is being said, who is saying it, and whether it is really coming from the organization or by someone else impersonating the company. While enterprises may decide to handle these issues on their own, there are managed service providers who offer to analyze the SMB's social media presence and identify areas that need to be fixed, Schwartz said.
"Information security must evolve in 2013 from reactive perimeter and signature-based approaches, to risk-based programs that protect the most important business assets in whatever context they may exist – cloud, mobile, or traditional data center," Schwartz said.
Enterprises also must ensure that their IT supply chain is trustworthy and doesn't introduce new threats and risks into their organizations, the report said.