Going back a few years, IT security was all about prevention. Most organisations had a well-defined set of computer systems needing protection; a security breach would usually consist of someone trying to get access to something they shouldn't. To counter the threat, we would perform detailed penetration tests on computer systems which, if passed, would indicate there was nothing to worry about.
A lot of water has flowed under the bridge since then. We have the Internet, the Web, mobile communications and smart phones; any ideas about security being simply about prevention are long gone. All the same, best practice has continued to focus on risk-based approaches, based on having an understanding of what might go wrong. Define and rank the threats, then you can define the countermeasures.
The term 'zero day attack' was coined back in 2005 to illustrate that breaches were less and less straightforward to predict. Attack vectors continue to evolve both in complexity and audacity - from traditional hacking, through identity theft based on key-logging spyware to fully-fledged social engineering. Particularly given the human element in many recent attacks, simply basing IT security on a risk management approach is no longer enough.
So, how should organisations be thinking about protecting themselves from security breaches in the future? It’s worth noting that the most significant recent developments in IT have been about harnessing the power of technology. Cloud computing, social networking, big data are all based on the premise that IT services can be delivered at orders of magnitude greater than in the past.
Security can also go up a level, using the same technologies to get ahead of the curve. We have frequently talked about our cloud-based offerings, so won’t say much more about these here; meanwhile, CISOs in many companies and government establishments see that sharing security information as a vital weapon against cyber-attack, which should also be extended wherever possible.
Perhaps the most fundamental shift in thinking comes from how we use globally available computer power to get ahead of the game. A good example relates to Security Information and Event Management (SIEM), which involves real-time correlation and analysis of security-related information. If SIEM is the security equivalent of Business Intelligence, the latter is currently feeling the heat of big data, which enables insights to be derived from massive data sets.
If the keyword is ‘predictive’, this recognises that complexity has reached such a point that it is not possible to plan for all possibilities in advance. Even while technology is still evolving, IT security chiefs can already start preparing the way for more forward-looking approaches to IT security. It will always be necessary to prevent direct breaches of computer systems, just as it remains best practice to understand and protect against other risks. But the unknown has become the biggest risk of all.