Almost a year has passed since Target experienced a massive data breach yet the company is still feeling pain over the problem: S&P cut Target’s credit rating this fall, projecting a negative impact on sales well into 2015. Other companies dealing with data breaches are seeing the same long-term damage — under-emphasizing the importance of preventing information security problems before they happen is impossible. For 2015, there are three concerns that any chief information security officer should be considering.
Open Source Dependencies Require More Attention
Heartbleed and Shellshock demonstrated the gap between the trust companies put in open source projects and the resources those projects have to work with. In many cases, there are no alternatives to using open source solutions. However, when implementing such an option, having procedures to vet open source tools and to ensure their maintenance is crucial. The challenge, especially in the next year, is to establish those procedures. That can mean teaming up more effectively with the open source communities creating these tools, as well as working on these problems internally.
Education and Control of Employees’ Technology is a Priority
Cyber attacks are now common, taking advantage of both wider vulnerabilities and of individual lapses. In many organizations, the fight against letting employees use their own devices may be a lost cause. Even so, the continuing trend towards remote work means that CISOs must take the lead in educating employees on best practices and enforcing compliance. Tools that force compliance (like requiring two-factor authentication at login) are starting to mature, offering better options for CISOs.
Updating Cryptography Solutions Becomes Non-Negotiable
The next year will require CISOs to evaluate your use of cryptography, as well as that of your vendors and other partners. With Google’s announcement of their intent to refuse certificates using MD5 and SHA-1, updating your cryptography technology is no longer optional. This situation presents an opportunity to revisit the security and cryptography technologies used throughout an organization. However, the changeover will drive up demand for anyone with security expertise — moving fast to secure your resources will pay off for any CISO who can do so.
Preparing for 2015 Now
The next year will bring new threats, from the data breaches all CISOs work to prevent to vulnerabilities not yet unimagined. But by finding the resources to collect cyber threat intelligence and by being aware of the trends already set in motion, chief information security officers have the potential to get ahead of these concerns for 2015.