A bridge too far?
THE ICT THREAT LANDSCAPE
Most agree that the ICT security threat landscape is more dynamic now than ever before. The emergence and proliferation of hackers for hire, advanced persistent threats etc. form an ever-changing risk environment that is difficult to deal with and almost impossible to predict.
Couple the above explosion in security events with business imperatives such as the relentless push to the cloud, the need to improve speed to market while reducing ICT costs and the scarcity of staff with appropriate skills and we have a ‘perfect storm’ of security risk.
Security issues make the front page of mainstream newspapers regularly, and CXO’s want to know how to keep their organisations out of the press. Budgets are tight, and there is an increasing need to focus scarce security resources on those business risks that are most important, and while many security people are quite able to identify technical problems, they often struggle to translate these into business risk.
Business leaders are frustrated by this lack of appreciation of their concerns, and they want a view of likelihood of threats eventuating and the impact on their business.
So it seems that the business wants to know about risk, whereas IT typically provides compliance tick, not risk information.
THE PROBLEMS WITH ‘SECURITY REPORTS’
Many customers have commissioned third parties to provide a security report of some sort at some stage in their quest for answers.
These traditional lengthy, moment in time security reviews often don’t meet the organisation’s business and governance needs. They are typically based on a rigid methodology and metrics that may not suit all customers. Customers have limited time and ability to interpret and implement recommendations in these heavyweight reports before they become outdated, and they ultimately fall into disuse.
WHAT KEEP LEADERS AWAKE AT NIGHT?
Talking to the CXO’s of various organisations the implication is that there are a number of unanswered questions, for example:
· What are the top threats to my organisation?
· Which threats are most likely to eventuate?
· Which assets do these threats impact?
· Which will be impacted the most?
· Where are my assets? (shadow IT etc)
· How do I raise visibility of risk to the board and meet governance requirements?
· How do I move forward with confidence in my digital strategy? (cloud etc.)
CONCLUSION
These issues cannot be solved by technology, yet this is often the knee-jerk response from ICT security. We need to bridge the chasm between IT Security and the business.