The ISF is busy working on updating their standard of good practice - the results of which will be visible in May. The objective, explains Davis, is to bring it “into line with COBIT and other best practices.” Updates will include focus on consumerisation, governance, and external suppliers.
Consumerisation, says Davis, is having a big impact on the information security landscape. “What’s really interesting is that if the device is owned by the business, control can be implemented. However, when personal devices are brought into the enterprise, that’s where the control is lost”.
“Businesses need to make a risk management decision – weighing up the benefits of their staff having the newest and best technology and the risk of data loss”. It is very important for the business to talk to IT to make this decision, he insists. “Saying no won’t help security’s case. People will always find a way around it.”
It’s important for the business to understand that if used properly, technology can be really good for business. “End users have a higher expectancy with regards to ease of use and functionality. If security measures get in the way of their job, they will bypass it.” The “trick”, says Davis, “is to build security in so they don’t know about it.”
Adding Value
Security, insists Davis, has to add value to businesses. “Security can’t be seen as a cost centre. Information security is becoming more essential to the business, but in order for it to continue this way, we can’t be seen as ‘the guys that say no’. If that is what is perceived, they’ll just find someone to say yes”.
Moving away from a closed security discussion to an open, transparent, business-centric profession is how the industry needs to progress, says Davis. The key to this is employing information security professionals who have technical, business and strategic skills. “All good CEOs have these skills. They can translate business talk into technical and back again”, explains Davis. “This is the industry’s challenge – to bring in more of these people”.
Unpredictable Predictions
The ISF have recently released their 2013 threat horizon report (you can see this here). Infosecurity asked Davis to look back at the 2011 threat horizon report which was released in 2009 and analyse the accuracy of the predictions.
The 2011 predictions included:
- Crimeware as a service
- Weaknesses in IT infrastructure
- Erosion of network boundary
- Mobile malware
- Espionage
- Web 2.0 threats
“Crimeware as a service, in particular, has really exploded. Twenty-four seven malware support is available, botnets can be purchased very easily”.
Erosion of the network boundary has “definitely happened, as a result of globalisation, the rise in outsourcing and mobility”, he says. “There has certainly been a rise in mobile networks with a certain level of security built in”, he says.
One prediction which Davis believes is yet to happen is the explosion of mobile malware. “It’s starting to occur, but not so much yet. As smartphones are used more for online banking , apps, etc, mobile malware will increase. The criminals will go where the money is”, he says.
In regards to the biggest current threat to information security, Davis confidently insists “it’s still people leaving laptops on the train”. Awareness, he sighs, is still not working. “Are we delivering the wrong message? Are we not engaging people? Are we putting out the wrong message to the wrong people?”
These are questions that Davis and the ISF – and the rest of the industry – will continue to ask.