How do we know if we’re doing information security well? How far along the journey to information security nirvana are we and what does that place even look like? George Arronis, the Head of ICT Risk and Security for Serco Asia Pacific has some views on positive and negative trends he’s seeing.
“Three key things that the industry has done well is that there is a growing security awareness, we’ve adopted security frameworks to guide our security thinking, and we’ve tackled major threat themes over the last while. Although attacks are still happening the industry has developed multi-layered countermeasures to those threats” he said.
So, what aren’t we doing well? “Whilst security awareness is growing it hasn't necessarily changed user behaviour in the way we want it to. That continues to be a challenge and the research has shown that humans continue to be the weakest link in information security,” according to Arronis.
In addition, Arronis says we need to get a handle on the economics of information security. “We need an understand things like ROSI - return on security investment. Another area is getting an idea of the real cost of security breaches in an organisation.”
In Arronis’ view some of the internal costs aren’t well understood as they are often absorbed by the business. There’s a need to get to a more detailed financial view of those losses. He says that a small number of organisations, identified as “true leaders” in a recent PwC security report are at that point but it’s not yet a mainstream level of business wisdom.
In response to the changing threat landscape, Arronis notes that we are moving away from the old “castle and moat” model to a new one where we are focussed on detecting and management of threats. This is because “the physical perimeter has moved".
"Our data footprint is quite extensive. Managing that is difficult. The focus for organisations is on knowing where the crown jewels are and putting protection around them”.
Over the last couple of years, there have been significant changes in how IT departments deploy and operate systems. In parallel, there are many instances where business units bypass IT and procure their own systems—often using external SaaS and IaaS providers—coupled with potential data leakage on mobile devices that might be unprotected.
“It’s about getting on the front foot with those emerging technologies,” says Arronis. “Consumerisation of IT has bolted and it is making it difficult for IT departments to catch up and manage that. But, even if it is to a degree retrospectively, organisations can put in a base level framework to manage those new threats. But it is a challenge and it goes back to being an ongoing odyssey. You fix one thing and something new comes up”.
For IT departments, this means being reactive and able to detect, restrain and counter threats when they occur but also being proactive and engaging with the business, and being more aware of the changing threat profile.