ISF Says Prepare Now for Security Threats Coming in 2016

by Michelle Maisto

Over the next two years, the ISF expects businesses to move from a time of growing cyber criminality (2014) to crime as a service (CaaS) upgrading to version 2.0 (2015) and eventually encryption measures failing (2016). While in 2015 a challenge will be many CEOs still “not getting it,” by 2016 they will have figured it out, and chief information security officers (CISOs) had better have the skills and tools to deliver, the study said.

If before government espionage activities were behind the scenes, by 2016 they’ll be out in the open and the result will be an “even more unruly cyberspace trading environment.” The ISF advises building relationships within and across industry sectors. “The government was never really in our corner anyway,” Durbin said. “For me, real trust is about how you build trust with the partners you build business with.”

“Nation-states will take a local approach to Internet governance, attempting to draw geopolitical borders on the Internet,” the ISF said in the report. Prepare now by creating partnerships for information sharing and engaging in “multi-stakeholder governances processes to share intelligence.”

Even organizations not implicated in wrongdoing will suffer collateral damage as authorities “police ‘their corner of the Internet,'” according to the report. Durbin said the ISF recently changed its nondisclosure agreements for U.S. members, to take into account that they may have to disclose information to the government, if required. “It’s about organizations understanding what governments are able to ask for and being open about that with partners. In the past, we didn’t have this kind of openness.”

The ISF advises fostering strong working relationships with service providers “with the aim of becoming partners.” Durbin said, “The smaller guys are a weak link, because they often don’t have the security in place. If you’re an acquiring organization, why not share information? Or be clear about what [security practices] you require from suppliers.”

Organizations that put blind faith in big data will make strategic decisions based on faulty or incomplete data sets. Avoid this by outlining a process for applying big-data analytics to information security problems, the ISF advised. “Security still hasn’t made use of all the tools that business makes available—like big data,” Durbin said. “But increasingly, it’s front and center.”

Try to find innovative ways to keep workers alert to the risks of “bring your own anything” (BYOx), the report said. One way people are doing this, Durbin said, is “5 to 9 initiatives,” that talk about what people do at home and how they can do those things more safely. They then naturally bring those best practices into the workplace, eliminating the need for a shift in behavior.

“People felt that encryption was the security [measure]. That assumption has proven to be not the case,” Durbin said. Businesses should prepare themselves by identifying their most sensitive assets and preparing appropriate solutions for protecting them. All data is not created equal, and so neither should their protections be the same.

The CISO will need to demonstrate value. Prepare for this by aligning the “security function with the organization’s approach to risk management,” the report said. Durbin added that security should be treated like any other business risk; CISOs don’t want to be put in a position of justifying the cost of security when there isn’t a breach. “Make security a business cost,” says Durbin.

The skills gap is widening; prepare by developing talent and creating incentives to retain it. Durbin said businesses need to be more aggressive about getting the skill sets that they need. “Government is looking for the same skills as the private sector … which raises another challenge around trust,” he adds.

“Those who grew up with security [and] privacy questions have a different perspective than those of us coming to it later. Security [means] different things to different people, and that creates a challenge,” Durbin said. Prepare by adapting policies and procedures to engage generations Y and Z. Their approaches to “work, socializing and privacy are vastly different … and they won’t fit with the traditional security models,” the report said.