In today’s business environment, market disruptions are a persistent topic of strategic planning discussions. Automation, artificial intelligence and increased connectivity will continue to drive our growth strategies, but it is crucial that organizations consider cybersecurity evolution in the strategic plans. Below are 4 evolving areas that will drive your organization’s success or peril over the next 3-5 years.
Technology Change Acceleration
The way we conduct business and serve customers continues to increase reliance on technology. Competitive organizations are differentiating through implementing emerging technologies, such as automation and artificial intelligence, to gain operational efficiencies and provide real time services to customers. Expansion of process automation increases the amount and type of data we collect, which presents additional opportunities for malicious attackers to exfiltrate more valuable strategic information that was once processed and secured by humans. In addition to the expanded data attack surface, the dynamic shift from human-based security to system-based security has a profound impact on processes and internal controls that were once performed by humans.
There is a strong focus on training our organization’s human workforce, but we must begin to consider our robotic (digital) workforce and develop strategies to build security routines into our machine learning curriculums.
Attack Surface Expansion
As we adopt evolving technologies, such as mobile applications, drones, robotics and the Internet of Things (IoT), our production efficiency, revenue channels and profitability should increase. A by-product of technology disruptors is the expansion of an organizations attack surface. Attack surface what we in the information security use to describe all of devices we connect to our networks that increase the “surface” or targets for malicious attackers. A key risk in the adoption of emerging technologies, and the resulting expansion of the organization’s attack surface, is the identification, inventorying and management of IoT devices and the upgraded infrastructures required to operate these devices.
The complexities associated with implementing emerging technologies into legacy infrastructures often force organizations to rely heavily on third-party providers for device installation and configuration. As we’ve discussed in previous posts, any time you introduce a third-party in to your IT environment, their security posture becomes your security posture.
Strong vendor management controls, pre-(and post) implementation reviews and full scope advanced penetration testing, to include the full scope of IoT devices, are crucial to minimizing the risks presented in the ever-evolving attack surface expansion.
Continued Rise of Shadow IT
Shadow IT, the IT systems and solutions used, and sometimes built, inside organizations without the organizational approval or IT department knowledge, has been a challenge for IT management for many years. With the rapid release of cloud-based solutions, users can procure and implement technologies, such as Box.com and Dropbox, without the knowledge or approval of those charged with IT governance and management. Shadow IT technologies may not comply with organizational security policies and introduce significant additional cyber risk into the organization – all without the knowledge of the IT department. Several risks arise from shadow IT, such as decentralized user access management, inconsistent data protection requirements and data integrity issues, often due to data duplication across approved and rogue systems.
While we are currently unable to eradicate 100% of shadow IT risks, organizations can significantly reduce risks by developing and implementing strong technology procurement, development and deployment policies, developing and implementing a sound data governance program, implementing data loss protection (DLP) solutions to prevent sensitive data from leaving the secured corporate network, validating IT asset inventories be conducting routine host discovery and verification procedures and ensuring penetration testing procedures include the full scope of organization’s attack surface. We regularly find instances of shadow IT during our advanced penetration testing and IT audit engagements, which indicate pervasive weaknesses in organizational IT policies and procedures and data governance. Most of the shadow IT threats uncovered were the result of employees or business partners being unaware of the organizations policies around unsanctioned technology.
Widening Cyber Assurance and Security Skills Gap
Cybersecurity unemployment is currently 0% and there are 1 million unfilled jobs in the field. Expectations are that the critical cyber talent shortage will not ease soon, with unfilled positions anticipated to increase to 1.5 million by 2019. Students are graduating from U.S. computer science programs after little to no coursework in cybersecurity. While still challenging, organizations can recruit grads for positions such as information security analyst, to monitor security tools and alerts, but the mid-level to senior cybersecurity specialist roles are nearly impossible to fill. IT security and IT operations roles, and related skillsets are very different, which makes re-training existing staff difficult. Additionally, organizations must not lose focus on efficient and effective IT operations, which is the focus of individuals that could potentially be retrained.
Because of the skills crisis, organizations turn to third-party information security and assurance providers to assist with the daunting task of securing their organization. Third-party service provider policies and controls are crucial for all IT service providers, but detailed, effective due diligence is imperative when selecting an information security partner. Information security providers not only have access to a tremendous amount of valuable information about your infrastructure, but they also maintain a roadmap of your organization’s vulnerabilities, linked to the vulnerable systems. A breach of an information security company’s IT infrastructure provides the proverbial “keys to the kingdom” of their client networks. There are recent reports of information security company breaches that demonstrate the not all providers “practice what they preach” related to information security. Several articles on HORNE Cyber’s Executive Insights Blog provide additional insights on questions to ask and what you should expect from your third-party security providers.
To remain relevant and competitive in any industry, you must be strategic in your response to today’s business technology disruptors. Technology disruptions that impact the security of your organization’s sensitive data and day-to-day operations must hold a key place on your next, and future, strategic planning agendas. Taking a detailed look at your IT security policies and procedures, data governance program, vendor management program and your third-party information security provider relationships are great first steps in building your cyber resilience and ensuring your organization remains a competitive going concern in today’s digital revolution.
For weekly insights into enterprise, please sign up here: