The Future of Information Security

The proliferation of disruptive technologies, heightened sensitivity to privacy issues, a background of cyber threats, and stronger regulations have raised the bar for information security. It's time for security functions to evolve from tactical firefighter to strategic business enabler. Enterprises of all types need to take a step back, understand where their information assets are, understand how to value them, how they need to protect them, what various constituencies they need to account for and take a circumspect view of security programs.

Tune into this episode of Deloitte Insights to learn more about what organizations need to do to keep their data safe.

Speakers

Ed Powers, Principal, Deloitte & Touche LLP

Irfan Saif, Principal, Deloitte & Touche LLP

Transcript 

Sean O’Grady, Host, Deloitte Insights: Hello and welcome to Insights. Today, we are discussing the future of information security and investigating what governments and organizations must do to keep their data safe. Joining us today in New York to discuss this topic are two guests: the first is Ed Powers, a principal in Deloitte and Touche LLP, and the second is Irfan Saif, also a principal in Deloitte and Touche LLP. Gentlemen, thank you very much for joining us today in New York. My first question is, why is information security such a big talking point today and what are companies doing to take a deeper look at this?

Irfan Saif: Well, Sean, fundamentally, the world is changed in IT and in business, and companies are looking at convergence of some major disruptive technologies, cloud computing, social and mobile computing as well. And so when you look at the combination of all of these things, you look at how quickly companies are willing to adopt new technologies and roll out new services both to their employees, to their business partners, but also to their customers. That means that there is a lot more change and a lot more evolution that is happening within the business today, and IT and security need to keep up with that. And so I think when you look at it, combine that with the frequency of attacks that are happening today at companies, cyber threats and so forth, you find that these threats are more sophisticated, they are larger and more impactful in nature, and so you take all of those things together and IT security really has to work cut off. There is a lot to do and there is a lot to keep up with.

Sean: How about you Ed, do you agree?

Ed Powers: I think that is right. The complexity that Irfan is talking about is really one side of the coin. The other side of the coin is really the heightened visibility and expectations across a broad spectrum of stakeholders. We have, on the one hand, customer expectations that are higher than they have ever been around the protection of sensitive data. Regulators are more active than they have ever been in this space. As a result, the boards and senior management of organizations have really made information security a key area of focus. So, you have sort of an intersection of this complexity on one hand and heightened sensitivity on the other that are really making this a very challenging set of issues for organizations.

Sean: Thank you for that Ed. Now, with respect to the change in the landscape that you had been speaking about, how do you advise executives about the risks in this area, Irfan?

Irfan: Well, Sean, let’s look at sort of a couple of key trends or key types of risks, if you will. First of all, you have got the fact that these companies today are targets of choice. Attackers are very, very purposeful and very, very specific in who they are going after, but at the same time, they are kind of opportunistic too. So if you give them an opening, they are going to take it. Now, in addition to that, if you look at the types of attackers that are out there, they are incredibly sophisticated, quite often they are organized crime or state-sponsored actors, and so they have got tremendous resources, they have got lots of skills, and they have got lots of time. So, they have some advantages in that sense, and sometimes, they are much more proficient at newer technologies and ways to use them and to exploit than companies are sophisticated to actually use them to protect. So, they are very, very sophisticated. I think there are a couple of other things to think about too; one that I should not miss out is the insider threat. The insider threat is critical because if you look the old days of the castle and the moat, they just do not apply anymore. You can’t guarantee that you are going to keep everyone out, and the way that your business landscapes works, it’s much more distributed now that it has been before. So, I think for all those reasons, it is critical to think about all those dimensions. I think the other one that I should not miss out is risk, and I think the regulatory landscape particularly has evolved. I didn’t bring my crystal ball, but if I did, then I would have looked forward, I would imagine that the trend will continue for more specific, more prescriptive legislation, regulation, and guidance to make the protection of data a higher priority; to make the prescription of how that’s protected a higher priority; and also make transparency more open and clear because today I think there is a lot of protection, if you will, around the way that what’s happening and whether people know that attacks are occurring or not.

Sean: And Ed, do you agree with that risk assessment?

Ed: I think that is absolutely right. And if you really look at the threat landscape that Irfan just painted, we encourage organizations to look at that landscape through a variety of lenses that are almost concentric, if you will. At the broadest level, it is really sort of the marketplace and the world in general, the risks that most organizations face regardless of where there are doing business or what type of business they are in, and those are pretty generic across the board and very important. The next lens, which is sort of a little more narrow, is really around the industry because what industry you are in really determines a lot of the risks you face and a lot of the threats that are coming at you. For example, industries like financial services and health care and life sciences are really focused on issues related to protection of sensitive data, whether it be their customers or patients or really personal data. But then, we also see similar but different areas of focus for other industries, such as critical infrastructure industries like transportation and energy. So you look at that as sort of the industry view and then it is important to look at your own organization itself. Because even within an industry or a sector, you are going to find that depending on how you are doing business, your business models, your various partnerships that you have, those are all going to influence what your risk landscape looks like. So if you take what Irfan just described sort of broadly is really what the environment is, you need to look at it through various lenses in order to get a good picture of what you want to be doing as an organization.

Sean: Thank you very much for that. I would like to crystallize the lens a little bit and that comes to the question of priorities. So, we have thrown a lot of things out here. How does an organization begin to prioritize around these threats and concerns, Irfan?

Irfan: If you think about an approach to this, it is clearly going to be based on risk. So, if you look at the different kinds of risks that you have across the organization holistically and you apply some level of prioritization based on different factors, you can start to then come up with where your key risks are and, therefore, where you should be spending the majority of your time, money, and resources to protect. The reason I say that is because today too many companies sit and look at their risks from the inside out, and frankly, they sometimes miss some of the bigger risks that attackers see, and so as an organization, you need to look at the information that you have, try and supplement things that are happening inside the organization with these external feeds and with these external intelligence information, if you will, and use that to make decisions about how you are going to manage security and how you are going to manage risks.

Sean: Ed, your thoughts on prioritization?

Ed: Prioritization is key obviously. Irfan talks about taking a risk-based approach, which is absolutely the right thing to do. It is important to understand that as complexity increases and the environment changes and this evolution is occurring, organizations are still very constrained in terms of resources, both financial and human resources. So prioritization really becomes the key to operationalizing whatever you need to do strategically in order to address a lot of these concerns. So we see organizations really taking this risk-based approach and then looking at how they are going to assign their resources, their time, their energy, and their people to a variety of different initiatives to score off as best as they can against these emerging threats.

Sean: Excellent! I think my last question for you is just that. It comes down to resources. If every organization had millions of dollars and people to throw against it, they could probably right the ship rather quickly, but if they don’t have those resources, what are they to do?

Ed: I think the most important thing that organizations can do is to think strategically about what they are doing. It is too easy to see threats in front of you or to see issues on fire in front of you and allocate all of your resources to those. It is the natural thing to do. What organizations really need to be able to do is take a step back, understand where their information assets are, how they need to protect those, what various constituencies do they need to account for, and really take a very strategic and circumspect view of the security programs in order to make sure that they spending their time, their energy, and their resources on the right things.

Sean: Irfan, your final thoughts?

Irfan: Yeah, I would agree. I think that ultimately security functions must evolve from that tactical firefighting mode to being a much more strategic, much more valued part of the business. What I think they need to do is No. 1 not just focus on compliance at the cost of lot of other important risk management-based activities. I think they need to get more engagement with executive management and they need to start speaking the same language as executive management because I think that will them engage in more strategic dialogue and then I think they need to become enablers of the business. So they need to be engaged, they need to look at how they are supporting the business, and they need to stop saying no for everything by default.

Sean O’ Grady: So change your perspectives. Gentlemen, thank you very much for joining us today in New York. Alright, we have been talking about the future of security with Ed Powers, a principal in Deloitte and Touche LLP, and Irfan Saif, also a principal in Deloitte and Touche LLP. If you’d like to learn more about Ed, Irfan, or any the topics we discussed on this program, you can find that information and much more by visiting our website. It is www.deloitte.com/us/podcasts. For all the good folks here at Insights I am Sean O’ Grady. We will see you next time.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.