Cybersecurity: will it be the ‘it job’ of IT?
- 30 December, 2015 06:30
The continuing cybersecurity skills gap is one of the biggest threats to our security, says Garry Barnes, international vice president, ISACA, a global association for IT assurance, governance and cybersecurity professionals.
“Managing the risks associated with cyber security threats and emerging threats from cyber terrorists and hacktivists will have an incredible impact on our way of life,” says Barnes, as he notes the cybersecurity trends organisations have to prepare for in the next 12 months.
Thus, he declares, “Cybersecurity will be the ‘it job’ of IT in 2016.”
"It will be critical to continue to entice candidates to get the skills necessary to reduce the gap.”
Barnes shares three other cybersecurity trends for the upcoming year:
- Cyber-extortion and cyber-bullying will hit IoT devices, such as wearables and gaming systems
As the use of online technology evolves in 2016, we predict more ransomware for IoT devices, such as wearable devices, says Barnes. “We are also expecting a rise in attacks against non-traditional platforms like smart home devices and gaming platforms, as IoT security risks continue to pose unique vulnerabilities.”
With breaches on non-traditional targets expected to rise, we predict that 2016 will bring a shift in privacy thinking for millennials as they place a higher value on protecting their information.
- Millennials will care more about privacy breaches
“With breaches on non-traditional targets expected to rise, we predict that 2016 will bring a shift in privacy thinking for millennials as they place a higher value on protecting their information.”
- Mobile malware, mobile financial fraud, and identity theft will be on the rise
As we see a continued decline in desktop use, more services are reverting to the mobile platform, notes Barnes. “We predict that in 2016, increasing malware will be the cause of various mobile breaches that result in financial loss and identity theft.”
Cybersecurity a priority in Kiwi firms, but…
A research report from IDC New Zealand, meanwhile, finds both IT and line of business executives agree cybersecurity is a key initiative running within their organisation.
Although cybersecurity is seen by 80 per cent of organisations as a key IT priority, there is a big gap that NZ organisations should be worried about.
“Everyone is planning on cyber security initiatives – but many are woefully unprepared with a big gap between those planning initiatives and those who have a comprehensive strategic framework and KPIs,” says Louise Francis, research manager, IT spending, IDC New Zealand.
“Most still have a ad hoc approach and this won’t be enough.
“Only half have a comprehensive strategic/architecture framework where compliance [is] required,” says Francis. “Even worse one in five have no broad base strategy or governance framework,” she says, quoting the findings of the IDC C-Suite Barometer 2015.
The survey among 220 organisations, completed last September, likewise notes distinct differences on cybersecurity approaches in different market segments.
The larger the company, the more likely it is to have cybersecurity as a key initiative. Almost all large businesses have an initiative underway, according to Francis.
Everyone is planning on cyber security initiatives – but many are woefully unprepared with a big gap between those planning initiatives and those who have a comprehensive strategic framework and KPIs.
The smaller the company, the more likely there is to be no broad base strategy/governance. A third of small businesses have no strategy.
The survey notes CEOs making cybersecurity a KPI for management is closely correlated to certification rates in government, manufacturing and BFSI (banking, financial services and insurance) segments.
Retail and wholesale, a segment prone to cybersecurity threats, has one of the lowest rates of initiatives, lack of strategy, certification, and CEO KPIs, the survey finds.
Wanted: Information sharing hubs
The Institute of Directors, meanwhile, is calling for the creation of ‘information sharing hubs’ to combat cyber threats.
“Cyber sharing hubs are a feature of the international scene and play an invaluable role in the collective response to threats,” says Simon Arcus, IoD CEO.
“ Many companies have no forum to share data and there is often a reluctance to discuss attacks. This puts commercial data at risk, where a combined response to threats will be a major advantage and drive down costs.”
The IoD believes cybersecurity threats must be shared within the private sector and between the private sector and government.
“Rapid information sharing is an essential element of cybersecurity because a collective response is more effective than companies trying to deal with cyber-risks alone,” says Arcus.
“It is a huge advantage to hackers that businesses are unwilling or unable to share data. Hubs make collaboration safer, faster, and easier to respond.”
The IoD says the government must lead and urgently expedite plans for better information sharing because it is the only entity that can facilitate information sharing groups in a cross-industry and liability appropriate environment.
“We need businesses to have safe places to share. We must link the good initiatives we have seen from the government in lockstep with the private sector needs. We need to see a breathless pace of action from government with a fresh, energised framework for engagement in place.”
Arcus adds that government must lead in the establishment of a sharing hub but tread a fine line between involvement and ownership of the space.
“I don’t think government should own or run these groups, but they should be kept informed and act as a key player and facilitator."
He says political leadership is a key feature in the cyber hubs in countries such as the United States, where there is a number of Information Sharing and Analysis Organisations (ISAOs). President Obama issued an Executive Order in February to encourage more information sharing on cybersecurity threats with the government and each other.
It is a huge advantage to hackers that businesses are unwilling or unable to share data.
In the UK the Cyber-security Information Sharing Partnership (CiSP) is a joint industry/government initiative to share cyber threat and vulnerability information. Its members exchange cyber-threat information in real time, in a secure and dynamic environment but, critically, protections exist for doing so, says Arcus.
“Cyber hackers respect no national boundaries. It is old fashioned to think that geographical distance equates to protection from threat for our islands. We need to take the steps any country with a modern developed cyber-infrastructure might do.
“If we do not facilitate private sector sharing we face the dire outcome that the hackers start to win. If you don’t report a house break-in to the police they can’t solve who did it. In New Zealand’s case we aren’t even telling each other there are burglars in the neighbourhood. That ignorance will play into our enemy’s hands.”
Related: The untrammelled rise of the cyber security professional
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Click here to read digital editions of CIO New Zealand
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, CDOs, COOs, CTOs and senior IT managers.