As security threats and technologies have evolved over the years, the line between physical and IT security has also begun to blur. Indeed, CSOs and CISOs at many organizations now wear dual hats as their duties have become more intertwined.
In many ways, the threats posed to businesses from cyberspace can be just as damaging, if not more than a physical security incident. Security managers have to prepare for everything from hackers trying to break into the corporate network to employees potentially leaking sensitive data on the Internet with their smartphones.
"We need to start thinking and acting differently," said eBay CISO Dave Cullinane in a keynote speech at the SecureWorld Expo in Atlanta on Tuesday. "It's a very transformational time."
According to Cullinane, the information security threats facing today's businesses are numerous and include an explosion in the development of malware and the proliferation of mobile devices. He said the key to mitigating these threats is for organizations to finally come together and share information on attacks, which is what increasingly sophisticated hackers have been doing for years.
"We've got to stop doing this to ourselves. Our adversaries are making a ton of money," said Cullinane "We have to start re-thinking security."
Changing the way businesses think about security, however, must begin with a thorough understanding of what is a constantly evolving threat landscape. The following are a few trends that were highlighted at the expo.
Risk and the Cloud
Over the past several years, the security industry has been abuzz over the evolution of cloud services. The ability to shift some of the infrastructure costs of enterprise-wide access control and video surveillance onto a service provider is appealing to many organizations. However, for IT security professionals, pushing data to the cloud poses a completely different set of security challenges.
Though the control responsibilities between cloud service providers and end users increase or decrease depending on the level of service offering (Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service or Business Process-as-a-Service), end users still bear responsibility for protecting their data, according to Ben Halpert, director, IT risk leader – CIT information security and risk management at McKesson Corporation.
"You own 100 percent of the risk," Halpert told attendees in a session at the expo on Tuesday.
This need to weigh the risks in moving data to the cloud has become paramount as more companies have indicated a willingness to use it in some capacity. In fact, according to a CDW Cloud Computing Tracking Poll cited by Halpert, 28 percent of U.S. companies are currently using cloud computing.
Halpert suggests that companies thinking about leveraging the technology need to have cloud infrastructure architects on staff that are well-versed in cloud security and redundancy. He noted the recent Amazon cloud outage and the numerous businesses that were knocked offline because they failed to have the proper backup systems in place.
"If you're going to the cloud, you need to have a plan in place," Halpert said.
Of course, taking the extra steps necessary to make the cloud more secure will make the technology less appealing to some organizations. "When you do it the right way, the savings are not as great," said Halpert.
The Rise of "Hacktivisim"
While financial motives primarily drove hacking attacks throughout the 90s and much of the 2000s, Carl Herberger, vice president of security solutions at Radware, says there has been a significant shift towards "hacktivism" over the last two to three years.
Hacktivism attacks are those perpetrated by individuals or groups such as "Anonymous" that are "ideologically-based" and seek change from a particular entity - be it a company, politician or government agency.
"When motivations change in mass... it changes the way in which we as a security people do our jobs," Herberger said.