A security program should begin with IT and business people getting round a table and ‘talking, and talking more'.
Speaking in a session at the SC Magazine Cyber Security Day, Steve Durbin, global vice president of the Information Security Forum (ISF), highlighted the top five threats for 2013 as: cyber (in)security; supply chain; Big Data; cloud; and consumerisation.
An opening audience poll of listeners found that 36 per cent deemed social media to be the largest threat, followed by third party suppliers by 29 per cent. Durbin said: “It is very important to focus on the ‘so what' question and address the issues, as it can become a major challenge for me.”
For cyber (in)security, Durbin recommended following initiatives in cyber space and law enforcement, and establishing links with them to "broaden your security knowledge and improve your cyber resiliency, and to make sure your contingency arrangements are in place".
After a start to 2013 that saw third-party flaws and zero-day vulnerabilities well covered, Durbin recommended assessing what security third parties are using, as this can have an impact on security departments.
He said: “Review your security implications and impact; would you be impacted? Take issue with your business rather than a solo standpoint to mitigate against potential risks.”
For Big Data and cloud, Durbin recommended reviewing legal aspects of agreements and governance and "being clear on where the data is, what you do with it and how you see it".
He said: “Ensure security is included, determine where it is on the way in and on the way out as that is the only way you will have any clout.”
Finally, for consumerisation and bring your own device (BYOD), Durbin recommended having a policy in place with good governance of devices within the business context, and also recommended looking at encrypting data, looking at mobile data loss prevention technologies and authentication technologies if BYOD is to be adopted.
He said: “It is about maintaining situation awareness and knowing how to deal with attacks. Do an assessment within your organisation and you will be better equipped to deal with things.”