Updated: Aug 16, 2019
The purpose of Information Security is to protect organisation’s business and their employees. In order to prioritise investments and resources it is important to understand the correct level of protection mechanisms that ought to be required and to understand the threats relevant for each organisation. Of course this information is specific for different organisations, but there are some general information that is of interest for most organisations.
This report summarises a few major trends within the Information Security community and what organisations should do to protect themselves. We want to make this available for all of our customers in order to contribute to a safer Internet!
You are free to use this information as you wish, but please mention Innovate Security as the source, please refer to Creative Commons CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)
Do not confuse Compliance and IT-Security
Before we start with the report it might be important to mention that you should not confuse Security Compliance (e.g. with a set of regulations or frameworks) with being secure and to implement a more technical perspective of Information Security, e.g. IT-security.
Compliance is similar to buckling up, it’s the law
IT-Security is like safe driving, full of ifs and buts.
Six trends within Information Security
More regulations, more detailed regulations.
More incidents, the attackers gets more clever.
More focus on Data Protection, i.e. Privacy.
Different implementations of ”Artificial Intelligence” will be used both by attackers and defenders.
The need for a Cloud Security strategy will increase, as will the need for controlling suppliers.
Complexity of organisation’s technical security mechanisms and processes will become a security threat themselves.
The trends have been identified on several Information Security forums and blogs along with several more. This is a distillation of many different information sources and our own view of how to build efficient and effective Information Security Architecture.
1. More regulations, more detailed regulations
Following the year of GDPR (2018) we have seen more detailed and comprehensive regulations, e.g. EBA/GL/2019/02. Many believe that this trend will continue as a consequence of the fact that companies seldom do what is necessary without regulations.
Most companies lack simple ”order in the house” kind of things as knowing where your valuable information is, what processes are connected with what IT-systems and what security controls to implement where. The regulators see this lack of control and therefore will be forced to increase the granularity of the regulations and controls. The organisations will therefore be forced to cope with more detailed revisions and controls, this will need more control, documentation and “order in the house”.
What to do:
Get ”order in the house”. A good way for organisation’s to do this is to use Business Continuity as a vehicle to increase the transparency and awareness of the connection between processes, information objects (i.e. The Crown Jewels) and IT-systems.
Work actively with the GRC-team, Governance, Risk and Compliance, involve DPO and Information Security to create cross references between these domains.
Create a clear ownership of business processes and IT-systems.
Create a mandatory update period of documentation each year.
In the next post we continue with trends 2-4...