CAMBRIDGE, Mass. -- Credit union IT security managers who think the first and only line in their job description is staying ahead of hackers and reacting to "tactical security events" might want to get with the changing times.
According to the Forrester Research analyst Jonathan Penn, "In 2008, we will see executives and business managers recognize the changing goals of security programs and support efforts to align security structure, focus and practices with these new goals."
In a new report titled "Five Trends that will Shape the IT Security Profession in 2008," Penn said these new goals broaden the focus from IT security to information risk management.
He said chief information security officers must think of IT governance, risk management and compliance (GRC) as three interrelating areas, noting that these elements no longer should exist as three separate principles.
"CISOs will play a critical role in helping their organizations adopt a unified approach to these disciplines under the IT GRC umbrella," Penn said. "IT GRC will lead security professionals to pay increased attention to security performance management and such areas as metrics staffing and sourcing, organizational structure, and wider IT risk posture."
Meanwhile, the commoditization of security countermeasures and their entrenchment in network and operating systems infrastructure is helping lead to the division of security tasks between operational teams devoted to specific, technical components of security and teams focused on business dilemmas of risk management, Penn said.
Another issue plaguing institutions is cyber attacks migrating from the networking layer to the application layer. These applications, particularly Web applications, are major targets because they include sensitive data such as credit card numbers and intellectual property, Penn noted.
Reactive measures--waiting for an attack in an at-risk point and then fixing it--are becoming less viable with the increasing role of regulations such as PCI.
"Organizations preparing for next-generation security architecture are now moving to develop proactive application security programs that extend through every relevant phase of the application life cycle, from conception to operation," Penn said.
That's also in reaction to the increasing liability and exposure that comes with sharing consumer data with partners, outsourcers and offshore sites. In response, Penn said, institutions are looking for new ways of protecting the infrastructure of their systems and the data contained in them.
For senior IT security managers, that includes contributing to data classification, advancing their understanding of the business process for which the data is being used, and exploring ways of encrypting, rights management, and information leak protection.
Finally, "civil litigation, regulatory mandates and robust incident management process require attention to digital investigation, forensics and e-discovery," Penn said. These all are part of broad information risk management.
"Many organizations now recognize e-discovery, specifically, as a daunting challenge for which they are ill prepared and the costs of which they seek to control," the Forrester analyst said.
--mrapport@sc.rr.com
