I've conducted a lot of security research recently while writing whitepapers and tech-editing books, and in this time, I've come to believe that security in the enterprise is still not where it needs to be. The following are some of the security statistics, from this year alone, that completely blow me away:
- According to the ASIS International 2009 Impacts of Current Economic Environment on Security report "…the need for security has increased in the current economic climate. Indications are stronger among the CSO segment, with 78% reporting an increase, compared to 66% of the managers…"
- A February 2009 FBI report states that cyber criminals have stolen more than $433 billion, which translates to 6% of the U.S. economy.
- A February 2009 Ponemon Institute study reports 88% of data breaches were attributable to staff negligence or lack of awareness.
- According to a February 2009 ThomasNet Industrial NewsRoom article, "Almost 60% of employees stole company data upon leaving their jobs last year. As the economy worsens and more people are laid off, more insider theft is expected to occur."
- One of my favorite benchmarks -- The Chronology of Data Breaches is up to 255,742,917 sensitive records involved in security breaches since 2005. A new security breach incident is recorded nearly every day.
Clearly, the argument over whether or not enterprise security is a cost center is moot. This is a business problem that needs well-thought out answers. Nothing's foolproof but it's not that difficult or expensive to step back and take a practical look at security across the business.
Interestingly enough, I've noticed in my work that enterprises still need to address the security issues of the past. I've also noticed there has been some change however. For one, upper management knows information security is important…I'm just not convinced they understand it.
I think many people, especially managers, don't want to think about security; they just want point products. They ask their security administrators to "encrypt these hard drives, implement a data leakage prevention system, upgrade our firewall, or let's put a policy in place against that." The good news is that many security vendors are realizing that point products are not the answer, and they're offering more soup-to-nuts products that run the entire gamut of visibility and control into a particular system or environment. I've also found security issues are often addressed at a tactical, and often reactive, level due to a breach or not-so-good security assessment report.
Remember, information security is more about effective operations than anything else. The right products are only beneficial when it's time to automate and enforce. Keep this in mind when the time comes for your next security assessment, and don't forget to look at the soft side of security as well.
So, what's the next big enterprise security issue? As much as I despise the growing government intrusion into the free market, I believe that passive compliance in order to please the auditors and regulators will soon start to fade away, and a new era of compliance enforcement, with businesses bearing the burden of security responsibility, will surface.
So what can enterprises do to protect themselves from these emerging security threats?
In the short-term, they can fine-tune their security operations, review and fix some of the security issues that have caused problems in the past. Savvy security leaders can also start streamlining their security management processes and begin to find ways to manage all things compliance-related at one level.
And while I don't suggest a sudden implementation of Information Technology Infrastructure Library (ITIL) or ISO/IEC 27001, I do recommend developing an IT security standard or framework that enterprises can build on. Having this long-term strategy in place can help enterprises get ahead of emerging security issues.
Kevin Beaver, CISSP
