A key driver for increased security spending is risk management, which tries to mitigate overall risk, defined as "the probability that an organization will lose assets during a successful attack." Risk management entails a few tasks: First, determine the criticality of your assets. If a system is unavailable or if data is stolen, what will be the overall impact to the organization? Next, perform a risk assessment, examining your systems and operation policies to determine the likelihood of a successful attack. Then, define policies, implement procedures and deploy products to mitigate the risks you've discovered. By showing how you can protect business assets from loss, and what the potential loss could be, you will have a justification for increasing security spending.
Furthermore, your security policy may be used by external auditors to ensure that your business processes are run in a secure manner. Just like a financial audit examines profit, loss and the accounting methods used to calculate profit and loss, a security policy tells auditors what processes are in place and how your organization protects information assets. Regulations such as GLBA and HIPAA have privacy and protection requirements.
Several key security areas will deserve your attention in 2003. While it is fun (for some of us, anyway) to theorize about possible attack vectors, in reality, you need to worry about only a handful. These include mobile code, poor application programming, faulty network design and remote device vulnerabilities. Following are the biggest dangers and the most practical advances for combatting them.
Danger: Malicious mobile code and executables
Solution: Use Sandboxing
Forty-four percent of respondents to Information Week's 2002 Global Information Security Survey reported attacks stemming from viruses, worms and Trojans, down from 70 percent year over year. The drop could be due to less malicious code in the wild or increased deployment of antivirus software after Nimda or Code Red, or both. Although antivirus software is decidedly reactive, vendors have shortened turnaround times to several hours after a breakout, so antivirus engines are updated in a more timely fashion.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
