As 2014 draws to a close, security is at the forefront of everyone’s minds. The most recent unsettling security incident is North Korea’s alleged involvement in the Sony data breach and the implications of that type of cyber attack for other private companies. How should companies prepare for security in 2015?
“The bad guys are going to grow,” Pete Lindstrom, IDC research director of security products, said during the company’s recent 2015 security prediction webinar. “They’re going to adapt and innovate, and so we have to really mirror and match that and hopefully get ahead of them in some ways moving forward.”
An attacker can innovate faster than a regulation, warned Lindstrom. “We have to keep in mind that these folks are nimble and they’re going to get around any kind of… enforced controls that are out there,” he said.
Here are four areas of security outlined in the IDC webinar that IT leaders should consider for 2015:
The first step is to figure out where to invest your money. Companies don’t have enough money to do it all and protect everything, so some analysis is needed to figure out where to strategically invest.
“You need to put this whole concept of risk mitigation on the top of your agenda,” Charles Kolodgy, IDC research vice president of security products, said. “Many more organizations will have to start looking at their security spending by risk because they just don’t have enough money… to protect [everything].”
Kolodgy suggests looking into analytics and software that may be able to help your company get a better understanding of how best to deal with security investments. IT needs to be able to quickly adjust to emerging threats, he added. And old strategic investments are becoming liabilities.
“You need to have a team of security professionals and I think that team should also include a business person… so that they can look at metrics to help with your decision-making,” Kolodgy said.
Lindstrom added: “We’re all better off as we get our arms around understanding economic impacts and probabilities… and get away from this age-old, fear, uncertainty, and doubt kind of approach to securing our enterprise.”
“[Threat intelligence is] not about just generating data as much as it is about figuring out how to get to that intelligence side of things,” Lindstrom said.
In order to successfully utilize threat intelligence, Kolodgy said companies will need to carefully vet vendors in order to make sure you’re getting full visibility.
“The problem is that… there’s a wide range of providers that are both established security vendors, established telecommunications vendors, and a lot of new guys,” Kolodgy said. He advises companies to focus on whether vendors are creating their own intelligence or just amalgamating intelligence. In other words, “are they a secondary or primary source of information?”
Kolodgy said that it is critical for a company to know this as they build out the usage of threat intelligence “because you could have duplication.”
Regardless, having some sort of program in place is key because the software that vendors provide allows companies to “pick that needle out of the hay stack,” Lindstrom said. It will be able to tell you that you’re at risk under X circumstances from X person and X type of resources need to be protected more.
Kolodgy also suggests automating threat intelligence because there is a shortage of IT security talent.
“We need to manage the data a lot better than we do it because it is a potential liability,” Kolodgy said. Especially because everyone and everything is moving to the cloud.
“It’s in a lot of respects a little disappointing that we’re at the stage we’re in given the nature and sensitivity of data. And [it is] certainly worth pointing out that this also includes the new and improved cloud-based file transfer services and the like from our data stuff,” Lindstrom said. But like it or not, there is no avoiding the cloud at this stage in the game, he said.
Lindstrom suggests “[tethering] your [cryptographic] key into your environment.” He added that “maintaining them under your control is going to be crucial to your long term strategic success around encrypting data and deploying it in the cloud.”
You need to have direct access to your cryptographic keys at all times, Kolodgy added.
“You [also] need to have policies,” he said. It is important for a company to determine what specific categories of information require confidentiality. Once those categories are pin-pointed, policies must be put in place.
But in order to do all of this successfully, Kolodgy said it has to be a team effort between the business side, the compliance auditors, and the security team.
Kolodgy points out that because attackers can innovate much faster than companies can right now, it’s important to leverage SaaS, and the agility that comes with it, to compete with attackers and be one step ahead of them.
“You’re not going to have time to roll out a product and train people and hire people,” Kolodgy said.
Either way, companies don’t really have a choice anymore.
“If our data centers are moving to the cloud, our security has got to move with it,” Lindstrom said. He advises that companies leverage outsourced managed security services because if you’re not “you’re probably missing out on the real great insight that they can gain from attacks going on all over the place.”
Let us know what you think about the story; email Kristen Lee, features writer, or find her on Twitter @Kristen_Lee_34.