Continuing our discussion on a few trends within Information Security, here are trend 5 and 6.
You are free to use this information as you wish, but please mention Innovate Security as the source, please refer to Creative Commons CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)
5. Cloud Security strategy and controlling suppliers
As with all companies that takes steps towards Cloud, Organisations needs to work with important strategic and tactical challenges. Which applications/solution should be Cloud and which should not? Again the cooperation between the Business Development and the IT Architects needs to develop tactical and strategic solutions and road maps. Once this discussion is ongoing the GRC team needs to be involved to implement necessary controls and influence specific choices of solution patterns etc. (before they are implemented).
Cloud solutions will solve certain information security risks, but will introduce new ones. Specifically a Cloud solution will, in general, be more resilient and thus simplify the work with Business Continuity. Note that Cloud Solution is not solving Business Continuity by default, the organization still needs to drive this internally and work regularly.
Cloud solutions will also post a challenge for organizations that are under supervisory controls, e.g. Financial market. There are evidence that many organizations seek to certify themselves in order to make the supervisory control more efficient. Specifically the Swedish supervisory Spelinspektionen, controlling gaming, has explicitly stated that compliance with ISO/IEC27000 will be sufficient for complying with specified chapters in their regulations.
What to do:
Create a forum where IT-architects and business architects may discuss the impact of Cloud for the organization.
Create regular reviews of the Cloud Services used and make sure that relevant security requirements are followed up yearly.
Work actively with the GRC-team, Governance, Risk and Compliance, involve DPO and Information Security to creates cross refencencies between these domains.
Create a clear ownership of business processes and IT-systems.
6. Complexity of organisation’s technical security mechanisms and processes will become a security threat themselves
The Security market comes up with new products to counter the attacks, but there has been increasing evidence that the complexity of technical protection, i.e. Security products, makes security updates impossible for the product they intend to protect. Thus to continue building a patchwork of IT-security gizmos will not increase security indefinitely, there is a need for focusing on orchestrating the different security mechanisms. In some cases security might even increase by removing a specific security mechanism.
As a support for building efficient security controls, consider the following principles:
Security should be easy to use, if security mechanisms are complex and hard to use people will find ways around them.
Security by obscurity is almost always bad; security solutions should stand for peer review.
Avoid the “Security Gap”, i.e. it is better to have a known level of security (even if it is low), than to believe that you have a high security when you haven’t.
What to do:
Build an Information Security Architecture based on international standards, e.g. ISO/IEC27000, and best practises.
Review the efficiency of the security mechanisms regularly, e.g. “red team tests”, “penetration tests” or similar.
Involve domain experts when designing new systems or when upgrading systems and review the overall security.
Implement regular internal controls, Key Performance Indicators or Key Risk Indicators that indicates efficiency of the security mechanisms.
This concludes Innovate Security's summary of six of the trends within Information Security.