Info security needs new focus
To stay ahead of rapidly evolving security threats, information security must move up the business agenda and change focus in order to understand, detect and respond to threats, as opposed to focusing mainly on prevention.
This is the view of Johann van der Merwe, information security expert and De Beers group head of information security.
Van der Merwe points out that information security today is fundamental to a business' ability to survive. "It must enable governance and proper control, avoid downtime, and prevent losses that extend beyond the loss of data or valuables," he says. Van der Merwe points out that strategic planning and economic growth depends on information gathered and shared electronically - any unintentional disclosure or tampering with the information on which future decisions are based could have a catastrophic business impact.
However, he notes that no system is impenetrable. "Therefore, the focus of information security has to shift beyond perimeter protection or, more generally, prevention. Now, we need to understand the attackers, what is happening in the cyber crime space, how attackers are likely to penetrate systems, what they are likely to target, and why."
He adds: "We need to assume that attackers are already inside if we keep assets of great value, and build capability to stop them from achieving their ultimate objectives."
It is a constantly changing environment, and staying abreast of evolving threats and attack techniques requires constant vigilance. It is the role of information security to do that, he says. Much like the physical security environment, information security requires ever-changing tactics to stay ahead of criminals. A major difference between physical and cyber security, he says, is that the barrier to entry for cyber criminals is low and it is easy for criminals to hide in cyberspace.
Van der Merwe says that, in information security, as with physical security, enterprises need to identify what their most critical assets are, then carry out a detailed risk assessment process to understand the business processes end-to-end, and to understand the threats.
"You need proper threat modelling, and to map out the environment and threat landscape. You must understand the entire environment, and then work through attack and defence scenario planning. If we accept that there is no organisation hackers cannot breach, we need to protect the most critical assets, try to force the threat to take a specific approach once within the internal environment, and create barriers that will set off alarms and allow time to respond."
Then, critically, information security needs to have the ear of top management in order to effectively act against threats.
This, he says, is where IT security differs from information security. "IT security may focus on technology infrastructure and patching systems. But information security needs to understand the big picture. This means it needs to understand the business and its processes, and have the mandate to make recommendations on mitigating risk at the highest level. For example, if the enterprise is undergoing a major change, information security should be in a position to advise executive management on measures to control information security risk during the change. To do so effectively requires a skill set that extends far beyond IT security."
These skills, which expand on strong technical skills, are in short supply, adds Van der Merwe, but they are increasingly important in a world that is rapidly becoming ever more dependent on networked technologies. "We must invest in people to solve the cyber security problem on a 'people level' and a technical level," he says. "This starts with awareness, buy-in and support from both the private sector and government. It is a long-term project, but like any problem, it cannot be solved overnight."
Van der Merwe will speak on new approaches at the upcoming ITWeb IT Security Summit. For more information about this event, click here.