The futility of all vendor predictions
As the New Year starts, many people look forward to what it will bring, and for many this involves looking at upcoming budgets and deciding on what to spend the money earmarked for information security needs.
This is also the time when many vendors have finished making public their lists of top threats for the coming year. Protecting yourself against those predicted threats invariably means buying their products.
These twelve-month predictions should be taken with a large pinch of salt. In many cases, they offer no real insight into the real threats that many businesses face.
Mobile malware threats, cyber espionage, social network security issues, big data threats and other topics like these are more attention-grabbing than laptop encryption, weak passwords, poor patching practices, and the lack of user awareness training.
So how can you know what threats to concentrate on? First and most important, you need to understand the business of the organisation you are working for / with. If it’s education, your threat profile will be very different from the one faced by a bank or a defence contractor.
To learn about your organisation’s business, pick up its annual report and see if you get your hands on the organisation’s business plan for the next few years. These reports will give you a good overview of the business environment your organisation works in, and the challenges it faces over the coming years.
For example, if the business is going to expand into new markets you may need to consider new threats based on how the organisation means to reach them. Will it be by creating a new office, by engaging a partner organisation, or by creating a more prolific online presence by using social media and e-commerce?
Alternatively, if the business is going to contract, you need to think about how to preserve the security of the organisation as it reduces staff, closes offices and cuts back on costs.
I would also recommend two additional reports that every person responsible for information security within an organisation should read:
The first is the Verizon Databreach Investigations Report, which offers great insight into how breaches occur. I suggest you tackle those issues before worrying about the latest and greatest threats that are being hyped by vendors.
The second is the European Network and Information Security Agency (ENISA) 2013 Threat Landscape Report, which highlights the threats that ENISA sees and, being vendor-neutral, provides an excellent overview of the threat landscape.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for a number of innovative information security companies. He has addressed a number of major conferences, he wrote the book ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute’s weekly SANS NewsBites.