The recent attack on Sony Pictures illustrates just how impactful a breach can be, and it will not be the last of its kind. While there are minimal concrete root causes known about the Sony attack, we can infer from the extent of the breach that practices and controls surrounding information access, desktop security, and network intrusion monitoring and prevention will be in the crosshairs.
While defense and banking have held a ‘do or die’ approach to security for decades, many other organizations have passively entered an era where the means to destroy billions in shareholder value sits on central servers, accessible immediately by multiple staff with email and Internet access. This productive combination requires a more rigorous set of thinking to protect than ever before. In 2015, we hope to see a renewed focus on risk-centric data valuation, and the corresponding projects to improve controls in response. Numerous conversations will be held where executives are looking for the most effective tools to buy, and many security experts will be called on to elevate security architecture, risk management, and technical controls.
2015 will be the year when the Russell 3000 stop rationalizing privately that they are ‘not a security company’ any longer. Instead, they will embrace the reality that they cannot live without the Internet, and therefore must implement the controls to thrive within it.
-Noah Gray, CSSLP, Senior Manager of Enterprise Architecture, (ISC)²