Security CIO Concerns

The mutually agreed General Data Protection Regulation (GDPR) came into force on May 25, 2018, and was designed to modernize laws that protect the personal information of individuals. … It also boosts the rights of individuals and gives them more control over their information and provides for sizeable fines for companies who are not in compliance.

Recently, hacking has taken center stage not only for the big political arena but also for almost all enterprises connected to the web. Newsweek cited that hacking in the USA cost corporate America over $445 billion, and a recent similar study posted $575 billion in estimated losses. 

Each year, the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues, releases its ‘Threat Horizon’ report to provide a forward-looking view of the biggest security threats over a two-year period. Here are the top nine threats to watch for in the next year.

1:The IoT leaks sensitive information

The Internet of Things (IoT) is growing at a rapid clip as the value of real-time data collection becomes clear. But the devices used to collect the data aren’t necessarily secure, potentially creating a backdoor into organizations.

The ISF recommends that you do the following:

  • Implement security processes for adding IoT devices to a network, or risk regulatory fines and reputational damage for poor data protection.
  • Seek consent for data collection ahead of IoT deploy and consider not only what information is collected but also what is allowed to be shared and with whom.
  • Ensure that terms and conditions for using customer data are transparent and meet regulatory requirements.
  • Look at IoT security holistically, as opposed to dealing with devices in isolation.

2: Ability to protect is progressively compromised

Established methods of information risk management will be eroded or compromised by a variety of (usually non-malicious) actors. According to ISF, Security has moved to the top of the agenda, but most boards don’t understand that substantial improvements to information security will take time — even if the organization already has the correct skills and capabilities in place.

The ISF recommends you do the following:

  • Engage with the board regularly to provide a credible view of risk in line with the board’s risk appetite.
  • Align the board’s expectations of security improvements based on current and future capability of the CISO and information security function.
  • Initiate a talent program to transform the CISO and information security function from technical specialists into trusted business partners.
  • Learn from those who have already transitioned into trusted business partners.

3: Governments become increasingly interventionist

The ISF believes the next two years will see governments around the world take an even greater interest in scrutinizing new and existing technology products and services used by citizens. It predicts governments will begin to adopt a more intrusive approach in dealing with organizations that handle personal information, especially major technology companies. Also,  some governments around the world are using the potential threat of terrorism and so on to introduce some legislation they wouldn’t otherwise be able to get passed. 

The ISF recommends that you do the following:

  • Understand how current and proposed regulations and legislation could evolve in light of growing political and popular demand for greater data protection.
  • Don’t wait. Be proactive and prepare for the change in regions where regulatory sentiment is shifting.

4: Disruptive companies provoke governments

The ISF believes that companies with aggressive commercial strategies that are disrupting their sector — companies like Uber, Airbnb, and Google — will prompt politicians and regulators to take a closer look at the domestic impact of new technologies. ISF expects regulation to spread to include product and service providers across the broader technology sector. The ISF believes governments’ awareness of these technologies will grow faster than their understanding of the social and political implications, leading to reactive and poorly conceived government policies that neither encourage economic growth nor increase data protection for their citizens. 

The ISF recommends you do the following:

  • Avoid political opposition by understanding the local context within which products and services are delivered. This is a particular challenge for organizations that scale fast and have a minimal physical presence outside the country where they are headquartered.
  • Develop a clear strategy for political influence and engagement, focusing on a principle-based system of regulation (as opposed to compliance checklists).
  • Explore possibilities for collective influence, such as joining or starting a trade association.

5: Regulations fragment the cloud

Legislative changes will impose new restrictions on how personal data is collected, stored, exchanged, and disposed of over the next two years, according to the ISF. Organizations that depend on cloud services can expect to suffer a particularly heavy impact.

The ISF recommends that you do the following:

  • Understand how current and proposed regulations and legislation could evolve in light of growing political and popular demand for greater data protection.
  • Don’t wait. Be proactive and prepare for a change in regions where regulatory sentiment is shifting.

6: Criminal capabilities expand gaps in international policing

Cybercriminals now have technical capabilities and reach on a level with governments and other organizations and, the ISF believes they will extend those capabilities far beyond those of their victims. 

The ISF recommends that you do the following:

  • In the short-term, stay abreast of cybercrime’s evolution and put in place appropriate controls and robust, resilient systems.
  • In the medium-term, build a threat intelligence capability so that risk assessments are carried out at regular intervals, and are as fully informed as possible.
  • In the long-term, proactively influence governments to cooperate and build international legal frameworks that can effectively fight cybercrime.

7: The cyber insurance safety net is pulled away

The ISF believes that several large data breaches in the next two years will result in significant financial losses for insurance companies that have offered cyber insurance and mispriced the risk.

The ISF recommends you do the following:

  • Reassess risk management strategies in advance of a crisis, in particular, the extent of risk that is being transferred via cyber insurance.
  • Examine cyber insurance policies for potential costly exclusions.

8: Researchers silenced to hide security vulnerabilities

Researchers regularly uncover software vulnerabilities and make them public in an effort to improve security. But manufacturers have begun responding to this trend with legal action rather than working with the researchers to fix the vulnerabilities. 

The ISF recommends:

  • Technology buyers insist on greater transparency during the procurement process, including access to the manufacturer’s vulnerability discovery policy and external vulnerability testing results. 

Manufacturers should consider offering financial rewards to researchers who responsibly disclose vulnerabilities. If necessary, use mediation services to agree to satisfactory disclosure practices.

9: Opaque algorithms compromise integrity

Organizations are increasingly using algorithms to operate and make decisions in critical systems. Without a human at the center of these decisions, organizations have less visibility into how their systems function and interact. Unintended interactions between algorithms that create incidents that result in significant disruption.

The ISF recommends you do the following:

  • Identify exposure to algorithm-controlled systems and know when human involvement is a liability and when it is a fail-safe.
  • Update code maintenance policies.
  • Identify alternative ways of treating risk from algorithm-related incidents, especially if insurance is not an option.
  • Conduct robust business continuity and resilience planning.
, ,
Previous Post
Risk Management Strategies for a Risky Era
Next Post
MetaExpert Kellen Crushes Cross-Functional Disconnect and Order-to-Delivery (OTD) Improvement

Related Posts

No results found