So what will be keeping your organization's CISO from getting a good night's sleep in 2013? While the answer to that question might vary from business to business, the unifying factors underlying the cause for your enterprise security chief's insomnia will most likely be tied to the rapid adoption of new technologies that are outpacing the resources available for many information security programs. The culprits? According to a new study by the Security for Business Innovation Council (SBIC), the main areas of concern from a security standpoint will include mobile device management, corporate social media engagement, and big data for market intelligence - but topping the list will be the migration of business critical processes to the cloud.
"These trends will have a big impact on information- security programs, revealing significant and growing gaps including a lack of business skills, relationships, supply chain management, and tech-savvy action plans," the SBIC report states.
The SBIC is an industry think tank that was formed several years ago and is currently comprised of information security professionals from some of the world's largest corporations across multiple sectors, including Intel, Coca-Cola, eBay, FedEx, Johnson & Johnson, and Walmart. The report, titled Information Security Shake-Up, was designed to assist enterprise security management teams in identifying and preparing for the unique challenges they will likely face in the coming months.
Topping the list of what the group identified as being "disruptive technologies" is the continued growth of cloud computing service options. The report notes that the majority of companies have already engaged some aspect of cloud-based services, led by Software-as-a-Service options at 82%, followed by Infrastructure-as-a-Service (51%) and Platform-as-a-Service (40%), and estimates show that spending for these forms of managed services will increase an average of 19% per year.
The main obstacle to adoption of cloud-based services are concerns over security, and even though half of the respondents in the report believe that cloud security has matured enough to begin migrating some business critical operations, only 30% indicated they have developed an effective cloud security strategy.
"The increasing demand for cloud computing will force organizations to find effective ways to evaluate their providers’ security controls to ensure they meet requirements, including implementing continuous monitoring," the report concluded.
The authors of the report recommend security managers focus on the following:
- optimizing cloud vendor management
- solving controls assurance
- realigning the IT budget to cover the costs of cloud security
- sharpening technical proficiency in virtualized environments
Key to the successful adaptation of security programs in the enterprise will be winning over middle-management, who see the cost savings that cloud services may offer, but may fail to recognize that an investment needs to be made to ensure regulatory and compliance mandates are fulfilled, as well as ensuring due diligence for security concerns.
"Middle managers don't want to use their resources on security. They are incentivized by timeline and budget; adding security doesn't fit into their objectives... Security teams need to build relationships with middle managers, helping them understand the value of information security. It may be a harder nut to crack than the C-suite," the report notes.
The authors of the report also point out that with a move to the cloud, organizations will need to be able to assure that service providers meet an objective threshold for trust, that they can effectively address the threats particular to the business, and that they can guarantee compliance and data retention/destruction requirements specific to their industry.
"Organizations are ultimately accountable for safeguarding the information handled by their cloud service providers. Cloud computing is forcing information-security teams to switch their focus from implementing controls to assuring that the controls implemented by others meet requirements," the report states.