Securing the Global Supply ChainInterview with Adrian Davis of the Information Security Forum
This is the prediction of Adrian Davis, senior research analyst with the Information Security Forum, who believes that last year's top information security challenges will only evolve in 2011. (See also: Payments, Privacy and Vendor Management - Global Best Practices)
He also believes that 2011 is the year when security leaders must dedicate more thought and resources to securing the global supply chain.
"What is the level of information security that the organizations we're working with should have?" he asks. "Can we as information security organizations purchasing these services hold our suppliers to a certain level of security?"
In an exclusive interview on 2011 security trends, Davis discusses:
- Top security stories of 2010;
- The biggest global issues that security leaders must know;
- The top information security challenges of 2011.
Davis heads the Leadership and Management group within the Research and Services Team of the Information Security Forum, responsible for delivering client-facing projects. His team covers topics such as the role and effectiveness of information security; the role and skills of information security professionals from junior analyst to the Chief Information Security Officer and Chief Security Officer; managing and assessing information security in third parties; assessing the possible near-term threats to organizations; and cloud computing.
His prior experience includes international project management, the creation and implementation of project and program offices, risk management and strategy formulation.
Davis has chaired the Marcus Evans SecurIT event for the last several years and is a regular speaker at major conferences, including RSA and RSA Europe.
TOM FIELD: Adrian, why don't you bring us to speed on yourself and what your current work is these days?
ADRIAN DAVIS: Yes, as you've already said, I'm a Principal Research Analyst with Information Security Forum. My current area of interests are unsurprisingly cloud computing and the work. I'm mainly concentrating on information security across the supply chain, which is a huge, huge area that we haven't tackled really I think as a profession in the last sort of four or five years.
Global Security ChallengesFIELD: So Adrian as we reflect on 2010, particularly from your areas of concentration, what would you say have been the biggest global security stories?
DAVIS: I think the first one has to be Stuxnet. I think we can't get away from the fact that here was a tailored made, very sophisticated piece of malware that was written to do a particular job. The fact, of course, that we found it, I think bodes well for the future, but it does show that organizations whether they be state or state-sponsored are now prepared to invest the time and the money to write sophisticated bits of malware. They are targeted at particular and targeted vulnerabilities within those systems. .
The second one for me, and probably the biggest thing we have to deal with, is the mobile device. It has exploded. Mobile phones maybe three or four years ago were just phones. Now they are cameras, music players, email, and with the rise of the tablet, finally, they are becoming true multi-media portable devices, and I can see them replacing laptops in the next three or four years. Unfortunately, they are designed for the user functionality and for user's use. They are not designed with security in mind, and as they come on to our corporate networks, I think we are going to see a lot of struggles to not only assimilate them, get them working in the corporate environment, but to make sure that they can meet corporate security levels that we are used to.
FIELD: Now, a follow-up question for you, Adrian, and especially I want your global perspective on this. As you know, we can sometimes be sort of US-centric in the US. What would you say have been the biggest information security stories that have been unknown or ignored by many people in the US?
DAVIS: I don't know if they have been ignored, but I would say one of the biggest stories has been the UK Information Commissioner and his new powers to fine organizations. Basically the UK Information Commissioner enforces data privacy and enforces the EU and the UK law on keeping data stored on computers private. So there are a whole set of rules and regulations about how you can handle and process data. In the old days, [regulations] had no teeth. Now he can fine organizations up to half-a-million[cost] per data breach. So if an organization loses 30 or 40 thousand ... he has the power to declare each of those an individual data breach, and if he believes the organization has been negligent, he can fine you half-a-million times 40,000. Now I'm not good at math, but that to me would make a dent in any company's profits. Plus of course, we don't want the publicity because you get dragged through the courts, not only for criminal but also for civil litigation. If the fine doesn't do the damage to your bottom line, then those fees certainly will.
Biggest Stories of 2011FIELD: I'm going to follow up on another point you made, which was about the top issues for 2011. You mentioned mobile devices as one. What do you see as being our biggest security stories as we go into the New Year?
DAVIS: I think the first one we will see probably will be the expose of another botnet or another advanced persistent threat that an organization will suddenly find that it has lost many, many records and either customer data or of internal companies specific data. I know for example that WikiLeaks is going to publish this information about a bank, but I think we're going to just see this happening more and more. I think we will see the continued rise of the sophisticated malware.
I think we'll see the rise if you like of the mobile virus. That is malware that is aimed at tablets and Smart Phones. We talked about this, but now I think it is becoming more of a reality because as people use their phones and electronic wallets to pay for goods and services, then they become more vulnerable. So the traffic and the detailed information held on them will be worth to criminals to try to get hold of.
Global ConcernsFIELD: Now there a number of global security and privacy legislative matters. You mentioned one initiative in the UK. What do see as some of the biggest global issues that are going to impact the US in 2011?
DAVIS: I think one of the most difficult ones will actually be sorting out security across the supply chain. What is the minimum level of information security that organizations that are working with you should have? Can we as an organization purchasing the services hold our suppliers to a certain level of security? I know the supply chains become ever more global and ever more intimately connected ... I think this becomes a real key issue for us to solve. And as I said before, it's something that we haven't tackled yet, but I think we really need to start tackling ...
So I think that is one of our big, big issues, getting security right across the supply chain and in addition to that or perhaps it's related to it, is we need to get information security right in the cloud. To me, the cloud is just another external supplier, another way of buying IT services, but we need to make sure that the cloud providers have got security. That they get security and they are actually building into all of their products. If it is done well, I do think we may well see a really good moment in the information security profession, because if the cloud raises the bar of security and a lot of organizations -- especially small to medium-size ones who use the cloud -- they will have a better level of security then they could on their own. So it might actually help raise the bar generally as well as raise the bar across the supplier chains
Trends to WatchFIELD: Adrian, a final question for you. Looking for advice for security professionals, no matter where they are in the world, what are the trends and technologies they really need to know to succeed in 2011?
DAVIS: I think there are actually two trends. The technology trend which is understanding how things work, and that is getting more and more difficult with the advent of the closed system, the closed environment like the Apple, for example. The other side is they need to know the soft skills. You can't hide behind technology anymore. We have to be able to talk to the business. We have to be able to express ourselves to the business because they need us and we need them, and we still haven't bridged that communication understanding gap.