A gusher of Web applications vulnerabilities, malicious insiders and sophisticated malware threaten networks and data. To keep your systems reasonably secure, what will your security focus be during the year
ahead? The answer to that question might depend on what kind of business you’re in – or maybe not. To help you get some focus for the year that’s just dawning, Threatpost spoke with leading chief information security officers (CIOs) and security analysts who have their ear to the (fire)wall. Here are their security priorities for 2011:
Find and retain security talent
The difficulty in obtaining and keeping IT security talent was a refrain we heard from many of the experts we spoke with.
“It’s the single biggest challenge we have going forward,” says the chief security officer at a Midwest food producer who asked for anonymity. “I’m not talking about having trouble finding rock stars. It’s extremely difficult to simply find anyone with adequate security management and communication skills,” he says.
A Booz Allen Hamilton study published earlier this year confirms he isn’t alone. The study cited an insufficient pipeline of new potential security professionals and expressed concerns that the U.S. is failing to produce enough IT talent in general. What’s to be done? Most experts advise looking for skilled internal network administrators, application developers, and IT managers who show an interest or aptitude in security and train them in-house for appropriate security roles. If outside talent is found to be available: grab them or someone else will.
Batten down the apps
It used to take serious expertise to crack web applications. Not anymore. The knowledge to exploit holes like SQL injection vulnerabilities is common today. At the same time, application security tools, such as fuzzers, are no longer an arcane specialty. The result: more enterprises are going to focus on improving the native security of the applications they both buy and those they build.
“I think web application vulnerabilities will get increasing attention next year,” says Andrew Braunberg, research director, enterprise networks and security at Current Analysis. “The focus will not just be on web application security, but web security in general,” he says.
Align IT security with your business
Until recently, the majority of IT security’s efforts have been focused on deploying defensive technologies, from firewalls to security event managers and intrusion prevention systems. Those technologies are still important, but there will be an increased emphasis in aligning security efforts with business objectives in 2011.
“We’re positioning ourselves to be a part of new IT initiatives earlier in the planning phases. That way we can provide more proactive guidance,” says the CISO at a UK-based manufacturer. “It’s much more effective than trying to engineer security onto an initiative already deployed and underway. Having this chasm between the business and security has been one the greatest shortcomings of our security efforts,” he says.
Get back to security basics
For reasons that are hard to determine, many firms are not focusing on the security basics. According to the PricewaterhouseCoopers’ 2011 Global State of Information Security Survey, investments in a number of core IT security areas have recently slipped. For instance, fewer organizations are conducting background checks today: just 56 percent of the 12,840 C-level executives who responded to the survey identified background checks as part of their current security strategy, compared to 60 percent last year. Even security awareness programs are on the decline. Just 49 percent of respondents to the PWC survey used them, down from 53 percent in 2009.
“Budgets got painfully tight for us in the past two years, and we cut too deep in a number of areas we shouldn’t have,” says the UK-based CISO. “After a number of infections and other incidents, we’re boosting investments in awareness training and vulnerability scanning. Some areas just can’t be cut,” he says.
Security incident response plans
Another harsh realization: despite best efforts, more enterprises have found that they’re not going to be able to stop every breach. Therefore more organizations are going to allocate some budget into incident response. “Contingency plans are vital and most often neglected,” says risk management consultant and founder of El Cerrito, CA-based risk consultancy RiskSmart Solutions. Now, after watching a number of successful high-profile attacks in 2010, more firms are going to prepare for how they’d handle the worst. “These plans need to be ready, tested and detail what to do when something does go wrong,” says Wilson.
While that last priority may sound pessimistic, consider this: According to the Privacy Rights Clearinghouse, there have been more than 500 million records breached from 2,022 separate incidents in the past five years. With staggering and unthinkable numbers like that – incident response may just be the most important priority of all.
George V. Hulme is a Minneapolis-based independent writer with a sharp focus on IT security and technology.