The global economic crisis has drawn world attention to the need for effective risk management
By Art Coviello
21 Dec 2009
If the focus of a year could be summed up in one word, the word I would choose for 2009 is risk. Ignorance of true risk, mismanagement of known risk, and misunderstanding of potential risk precipitated the collapse of our global economic system. The bad news is that it took a crisis of such great magnitude to draw world attention to the need for effective risk management.
This newfound awareness is good news for those of us in information security leadership. A recent study conducted by Price Waterhouse Coopers on information security in 2010 revealed that the role of information security within organisations has increased significantly and is now widely recognised within executive ranks as strategic to organisational health and success. It’s about time.
Renewed attention to and focus on risk is often the impetus for significant growth in our industry. In year 2000, at the height of the dot-com bubble, denial of service attacks on and defacements of websites ushered in renewed growth in anti-virus and intrusion detection products to fortify vulnerable perimeters.
In the period between 2003 and 2005, our attention was drawn to the vulnerability of information itself with the advent of phishing and pharming attacks. This awareness spurred development of information-centric security solutions such as data loss prevention, desktop file encryption, security and information event management and risk-based authentication.
What to expect in 2010
What do we see for 2010? In terms of vulnerability, we see coordinated attacks on the rise. These combined attacks often rely on Trojans to harvest Personally Identifiable Information (PII) and credit card data. That data is then exploited by people and/or social engineering tactics to steal assets. And those assets are eventually delivered to established drop zones for profit sharing.
Royal Bank of Scotland is one high-profile example of a remarkably coordinated attack that combined stolen account numbers with a network of “cashers” scattered around the world who, in the span of 12 hours, drained close to $10 million dollars from more than 2,000 ATM accounts.
Not only are the threats increasing in level of sophistication, but the degree to which malware and Trojans have permeated small businesses has reached pandemic proportions. And large enterprises are not immune. RSA’s anti-fraud command centre in Israel reports that not only are the number of Trojans doubling every quarter but in a single month, 60 per cent of the Fortune 500 companies were determined to be contaminated with Trojans from infected employee laptops.
To address this ‘pandemic’, I believe another transformation is coming. Security-as-a-service and Safety in the Cloud will become central themes in 2010. Not just for large enterprises but for small merchants as well. With regard to smaller organisations, we will need to finally face the fact that these operations are ill-equipped to understand, let alone stand up to, the security required to defend against today’s attacks. We need to offer security services that are cost-effective, convenient and transparent.
Our collaboration with First Data Corporation is a good example of a cloud-based tokenisation service available to merchants of all sizes which are responsible for the protection of credit card information. The service removes credit card data from merchant environments through a solution that is hardware agnostic, scalable and completely transparent to the consumer.
Larger organisations will face new and different challenges as they flock to the cloud in pursuit of dramatic cost and resource efficiencies. It is incumbent upon the information security industry to enable that migration and ensure safety in the cloud. In fact, I believe the transition to the cloud can and will offer opportunities for even better security than is possible in physical environments given the opportunity we have to embed security controls directly into the virtual infrastructure, making those infrastructures secure and policy aware.
Renewed awareness
As we head into 2010, renewed awareness and understanding of risk will once again spur the industry on to new growth. Security delivered as a service will offer protection to those who lack the expertise and/or resources to stand up their own security platforms. The unique security challenges and opportunities introduced by cloud computing will push us to match and surpass physical security as we implement virtual infrastructures.
And information security leaders, who finally have the ear of the chief executive officer, will develop security strategies that not only identify, quantify and mitigate risk but enable innovation and growth in the coming decade.
Art Coviello is president of RSA, the security division of EMC.
