2020: What will Information Security look like in 5 years?
By Dr. Tim Godlove
What will be the priorities of information security practitioners in 2020? Organizations are now more complex than ever before and there is no evidence that the next five years will reverse this trend. Companies have adapted to operating in a global and decentralized market economy, placing increasing reliance on vendors, suppliers and contract staff for operations managed previously in-house. They have changed their internal structure to compete better in changing markets and in diverse economic conditions and have learned to leverage new technologies to increase the speed of both communication and business.
This complexity has brought new risks that pose an ongoing security challenge at a time when information security is already arguably at a disadvantage with emerging threats, new attack tactics and new technologies. These developments make information security one of the most dynamic industries around the world. In 2013, there were significant data breaches across multiple industries and governments impacting millions of users. This year brought more of the same. Is this an uncertain future we will have to live in the coming years? Can we accept degraded privacy and security and billions of dollars in lost revenue, damage, reduction in brand value and remediation costs? Organizations need to develop or maintain a robust risk strategy or suffer stunted growth, loss of revenue and legal liabilities.
Future threat environments will force security and risk leaders to create new, adaptive control environments. Given the importance of computer and information security, investment in information security is now recognized as a critical issue by both practitioners and academics alike. Much of the recent information security research has focused on the technical aspects of reducing information security breaches.
Security vulnerabilities, increased dependence on information, and pressure from consumers and regulators requires organizations to spend more on securing information assets. At the same time, increases in information security budgets require proper techniques for evaluating investment decisions pertaining to information technology security. Research devoted to the economic aspects of information security is emerging and has centered on the difficulties associated with the definition and measurement of information technology security costs and benefits.
Better support to business decisions today, information security functions must evolve from a risk-reduction role to a genuine risk management role. The information security function becomes the facilitator of stakeholder risk decisions, providing information and support to the true risk owner to make a decision. The security practitioners require a risk-manager's mindset to help organizations seize emerging technology's opportunities.
The first step in managing a budget is knowing what services the funds will have to support. This may seem simplistic, but it is a step many security leaders cannot complete without a great deal of thought and research. When security programs grow organically over time, it can be hard to keep track of added services without concentrated and continued effort. The same may be true when security leaders must quickly develop their programs based on what is required by regulators or management to provide.
Business managers tend to be reluctant when making decisions on information security investments as they are associated with uncertainty. Indeed, such uncertainty clouds the managers’ vision about information security and many perceive it as a cost or a difficulty, rather than an initiative with strategic values. The uncertainty of information security investments can be reduced with sufficient and quality information, thus allowing managers to justify their strategic decisions and information security improving adoption rate. This approach differs from how information is used to deliver awareness as it adds clarity and encourages managers to balance their decisions on investments, rather than purely promoting the necessity of information security investments.
Security practitioners must assist organization leaders in overcoming this uncertainty by knowing what services the security funds will have to support. Security vulnerabilities, increased dependence on information, and pressure from consumers and regulators require organizations to spend more on securing information assets. Increases in information security budgets require proper techniques for evaluating investment decisions pertaining to information technology security. The security practitioners must build a relationship with organization leaders by proving the information technology security Return on Investment. They need to educate organization leaders about the real security risks to personal identifiable information and intellectual property. Security practitioners have to work side by side with executives to define, dissect, and defend this data and to make a compelling business case for budget. Too many organization leaders spend money on security without taking the time to assess the risk and consequences of an attack on the core business value to the organization. The approach of analyzing security investments, systematic risk assessments, and the economic analysis of the optimal level of security investment based on loss and the likelihood of security violations will make the business management aware of the true business risk.
The proactive security practitioner points out to organization leaders the value of data protection in concrete terms, such as whether or not it generates revenue or helps maintain a competitive advantage. This requires security practitioners to have detailed knowledge of security services, staff, and expenditures. Failing to provide an in-depth understanding of where the money goes has implications that extend well beyond the budget. The next generation of security practitioners must know the business and ensure the return of investment from security investment to prepare the organization for the information security future.
Information security professionals must manage their budget responsibly and proactively to protect the organization’s high-value and high-risk assets. Such a proactive approach will contribute to the organization leaders’ decision for information security investments and to the business integrity and value.
Join the Cybersecurity Elite
U of F Cybersecurity Education Path
» Download PDF or register for a