In my recent travels which spanned the globe and included stops in Hong Kong, Singapore and New Orleans, I had the pleasure and opportunity to network with a wide range of technology, security and audit professionals. In addition to all of the great networking, I was honored to speak at the InfoSec and the ISACA sponsored conferences.
Attendance at all events was incredible and the attendees were eagerly seeking new learnings, need to know information and the latest and greatest security threats we all face in our companies regardless of industry. Common themes I observed given the ever changing threats facing IT security professionals from each of the events were cybersecurity, regulatory influence and trends and security best practices.
Cybersecurity has made it to the top list of priorities for many governments in the Americas, Asia, Europe and the Middle East. It has been considered the highest risk to financial institutions per the US Securities and Exchange commission (SEC). Ransomware, now the largest cybersecurity threat (zdnet.com), has risen dramatically in the past year to the point of diverting security vendors’ attention from leading the charge on mobile security (Channelnomics.com).
As I saw and heard first hand, regulations are not letting up any time soon. On the contrary, the regulations are becoming more stringent because organizations continue to experience security breaches, audit exceptions, fraud incidents and the like. For example, in 2015 various US industries witnessed a spike in SEC civil enforcement actions against public companies (cfo.com). Singapore and Philippines central banks move to tighten cybersecurity following recent cyber-attacks (philly.com).
The audit community had a large presence at all of the events I attended with the goal of ensuring audit checklists are complete. In their continuous effort to conduct thorough audits for the domains they’re responsible for, auditors always look for control gaps that cause increased risks to they’re production environments. Some of the key gaps I noted at the various events were related to access controls, 3rd party access, and privileged access.
The best part of all these events was the opportunity to sit in on vendor demos or show cases. It was great to see the leaders in the security industry delivering products that contribute to the same goal of protecting critical assets. Products varied from access controls, IAM, PAM, DLPs, audit/compliance management, and many more solutions. It is clear, industry professionals and vendor partners should always work together to help each other eliminate threats, reduce risks and bring organizations more into compliance.
The last theme picked up at all events was the concept of continuous compliance. Many organizations are waking up to the fact that achieving compliance is a huge undertaking given the facts observations listed above. In my experience, many organizations are operating in the “after the fact” mode when it comes to compliance. They implement controls, they do not conduct self-assessments, they undergo an audit and finally find themselves scrambling to remediate the outcome. Given the rise in threats, attacks and endless audits our processes must change. Security controls must be embedded in our daily processes and procedures – become part of the plumbing. As organizations mature in their processes so will need be for their security controls. So let us all remain diligent in our efforts to continuously maintain and protect the confidentiality, integrity and availability of our sensitive and confidential “protected” data.