Security Pitfalls to Watch Out for in 2010

"There is a war going on in the internet, "warned Adel Malek, global leader for IT risk, security, privacy and resilience services, Deloitte. Malek is referring to the exponential rise in IS security breaches. He added that in 2009, the United States alone lost $191 billion (about Rs 8,59,500 crore) to security related incidents.

Malek said that there has been a 90,000 percent rise in information security related fraud. The level of sophistication is incredible. It is no longer your geeky next door neighbor hacking into your PC. It is organized crime and enterprises are leaking millions because of it, he added.

Commenting on the security vulnerabilities of new age technologies, Malek said that the need to be vigilant is higher than ever. As more and more CIOs are considering moving to the cloud, he warned them about the security implications of it. “According to Gartner, 50 percent data on the cloud would face a major issue to the point of disrupting the entire technology by 2010.  The private cloud and the hybrid cloud are relatively secure. But with the public cloud, you have no idea of where your data is residing, who’s got access to it, or whether your competitors are sitting on the same space as you,” he said.

Social networking sites too expose the organization to further vulnerabilities. “The problem with Twitter or Facebook is that, while it might be a very useful tool for collaboration, it could leak a lot of information, “ Malek said. It is getting to the point where people are confused between their corporate persona and personal persona, and this leads to sensitive data being leaked in an innocent way. That’s why, he said that it depends on the personal judgment of individuals, and there are no vectors to deal with this resulting in unintended consequences.

Malek observed that globally, CIOs and CISOs are expecting new regulations. “Everybody is bracing themselves for new regulations and compliance schemes. Also, we are witnessing a consolidation among jobs of IT risk management, IT compliance, and IT security. This is tremendous change from the recent past, he said.   According to him, six years ago people didn’t know what a CISO was; now he’s a prominent figure in the organization. People in these positions are taking on more roles. It is not just about security, its technology-risk management, compliance, disaster recovery, community management, resiliency and other related elements.

Does that mean security is no longer a CIO’s responsibility? “The CIO is accountable for information and technology; whereas the CIO’s role is that of responsibility. CIOs delegate this responsibility to CISOs to ensure security, integrity and quality of information. However, that said, neither the CIO or the CISO owns the data. The ownership rests on the business,“ Malek said. He further added that the biggest problem that organization today face is when business shuns responsibility for data security. “The problem occurs when business washes their hands off security and treats it like a technology issue. The CIO or CISO is a mere custodian of data. The business has to recognize and accept their role too, “he said.

Malek advised Indian CIOs to start taking security seriously. “The best security is security by obscurity; like encryption—the reader is protected, but he doesn’t know where the information resides. As technology matures, security will be embedded into everything.”

Malek finds it ironic that a lot of people tend to under report security incidents within the organization. “A lot of people are under a false sense of security. They either don’t want to talk about it or they are not aware of what is happening.” So what can CIOs learn from this? “Start with the basics, “suggested Malek, and went on to add, “check if you have adequate mechanisms to prevent and detect attacks. The simplest way of doing this is by running a security test.”

However he was quick to point out that organizations cannot run a business without risk. The trick, he said, is to take calculated steps to minimize risk. Deloitte has developed a methodology called risk intelligence, a relatively automated model for risk assessment. “Risk intelligence will help enterprises measure what risks they are taking to generate what value. You need to understand your organization’s risk tolerance is and risk appetite,” he added.

Malek concluded that, as technology matures, security will be embedded into everything. “Few years back when you want to buy a car, they’d ask you if you wanted to buy a seat belt. Nowadays, it’s mandatory. It’s going to be the same way with security. People are integrating products together to come with a point solution to deal with this. But we are not there yet,” he said.