The future of IT Security

With the ever-growing IT and digital footprint, organisations are continuously challenged by new IT security risks. The expansion of attacks driven by cloud transformations, remote working and new IT service delivery models poses unprecedented security risks that have never seen before. It’s imperative that mitigation plans are put in place to address those risks.

IT and cybersecurity leaders must rethink the defence and response strategies and address these emerging threats. Traditional threats such as ransomware, phishing, data theft, social engineering, denial of service have now become mainstream. Hacking tools have now become easily accessible and can be acquired online using untraceable crypto currencies to hack or deploy malicious software to organisations through the Dark Web. So, what does the future of IT security for organisations looks like? And how can organisations prepare for the emerging IT security threats?

Information Security Program

Information security program defines the process for identifying, assessing, and addressing security risks. The impact of security risks can be classified in the categories of confidentiality, integrity, or availability of the organization’s critical assets. Information security program helps organizations develop a holistic approach to securing their infrastructure and applications, especially in regulated industries where the protection of sensitive data is mandated. The failure to protect the organisation’s data can lead to the loss of business, regulatory fines, and loss of reputation.

IT leaders must have security as a key pillar of their IT strategy. Establishing a enterprise level information security program has become a necessity more than ever. It’s pivotal that the program is well planned and coordinated and that it is aligned with the business projects and priorities.

Periodic independent security and risk audits are very important to ensure compliance and continuous improvement of the security posture of an organisation. This helps organisations to always keep up to date with the latest threats in the market. Other procedures such as security incident response strategies and driving security awareness programmes across the organisation are also essential. All these are important to detect, prevent and respond to security threats.

Threats

Traditional threats such as ransomware, phishing, malware, physical security access, social engineering and data theft have become mainstream. So, what are the new threats that organisations need to be on the lookout for?

Cloud transformations have resulted in many benefits for companies in terms of operational effectiveness, improved system performance, and cost savings, but this comes at a cost. Cloud poses a new set of risks that IT leaders must factor into their strategy. The data of the organization is now on the cloud, hosted on a shared infrastructure somewhere in the country or outside the country in some cases. Organisations have only a high-level visibility on the underlying infrastructure and the security posture of the cloud providers. Cloud secured configuration has become a challenge especially in a multi-cloud environment. Furthermore, due to the cloud delivery model, there is a significant increase of the use of public network infrastructure which poses additional threats and vulnerabilities to the organisation.

Prevention

To identify the right prevention mechanism for the organisation, an assessment needs to be done to understand the current state, identify vulnerabilities, risk levels and to establish a roadmap for remediation. Furthermore, the roadmap must include a future state for the IT security posture and recommendations for improvements.

No IT landscape can be 100% protected from security threats, however, establishing and enhancing security capabilities will help reduce or eliminate the risk level in certain areas. Some of these capabilities such as layered security, zero trust architecture, privileged access management, vulnerability and penetration testing, security maturity assessment (independent security audits) and physical security reviews. Furthermore, regulatory mandates such as PCIDSS help organisations review targeted business processes to mitigate or reduce security risks. All these security initiatives can be tracked part of the information security program.

Security by Design

Studies shows that 95% of successful attacks are due to poorly designed infrastructure, written code, or misconfigured software. If security is not embedded in the system design process, IT solutions and the digital footprint will always be vulnerable to cyber-attacks. Organisations must proactively factor for security at a very early stage and throughout the system implementation lifecycle. Security by Design is an assurance approach that formalises secured design, coding practices, configuration and enforces a security control baseline. This approach will help build secure systems and functions that cannot be overridden and modified by unauthorized users, ensures reliable and effective controls operations and even enables near real-time audits and automated governance in some cases. Security by design is essential to build products and capabilities that are foundationally secure.

Incident Response

So, have you asked yourself, what happens if one of the employees is attacked by ransomware, malware or faces a security incident such as data theft or fraud? Has the organisation tested such scenarios or has in place an incident response process that can be invoked if such scenario occurs? Who are the teams involved and what is the reporting escalation mechanism for such incidents?

Organisations need to have the right leadership in their security incident response team in order to take the right decisions when responding to incidents. Furthermore, capabilities such as security information and event management (SIEM) is a key capability to help address incident response. This is sometimes built internally or in most cases its outsourced to specialized vendors that provides this service for multiple organisations. I personally prefer the later as this is a very niche skill set and organisations can benefit from a 3rd party specialist company to address security incidents under the right SLAs.

Change Management

It is very important to make sure that employees are aware and trained on various security threats. Organisations must have a security program that covers communication and awareness across the company. This includes raising the awareness levels of fraud incidents, phishing, data theft, social engineering and many other security threats. Employees must also be aware of escalation process in the company to help deal with such incidents. This may include mandatory training, store visits to raise awareness, impersonation and many other traditional practices to ensure that employees are always alert.

Security Governance

A governance entity needs to be formed within the company to review regular security reports and take the relevant decisions and actions. Escalation procedures need to also be clearly documented and made part of the security strategy. In some organisations, security steering committees are formed to meet monthly or quarterly to monitor security reports, incident and key projects in alignment with the security strategy and roadmap. Security governance must follow a risk-based approach in order to identify critical risks, build the right response strategies and initiatives, and to create security awareness programs to address security end to end.