Information Systems Security Study

The International Information Systems Security Certification Consortium (ISC2) sponsored a study last year by the global analyst firm IDC. The Global Information Security Workforce Study noted that securing an organization’s information assets is a relentless battle.

The constant barrage of threats keeps information security professionals in a reactive mode. Cyber-criminals are generating attacks using a growing arsenal of weapons, including spam, phishing, malware, and spyware. However, the intent of malicious activity has clearly shifted away from notoriety toward profit.

The formulation of a security strategy also requires people and processes to be addressed as significant areas for exposure. If overlooked, intentional and unintentional behavior of users, social engineering, lack of business continuity planning, or insufficient separation of duties can all lead to serious consequences.

Organizations must evaluate all internal and external risks on both physical and logical levels to properly execute against their risk management objectives. The study reported that the top 5 security technologies in the Americas in 2006 were:

  1. BiometricsIntrusion PreventionWireless Security SolutionsIdentity and Access Management
  2. Security Event or Information Management

The most common applications for biometrics are physical access and an additional layer of strong authentication for IT systems access. In addition, biometrics is being leveraged as an additional credential that is linked to an individual’s identity for verification purposes, for example, e-passports and national identity cards.

Wireless security abounds as a security problem that needs to be locked down and controlled. The proliferation of mobile devices, users wanting broad access, and the increasing mobility of the global workforce, create a situation of risk and vulnerability whereby organizations are having a hard time controlling and managing their IT environments.

In Europe and Asia, one of the top 5 technologies is Forensics, effectively dealing with, mitigating, responding to, and prosecuting computer-related abuse and crimes. There is a growing need for decisive answers, quick responses, and evidence preservation to document attacks and system compromises that may cripple or completely disable any organization’s computer systems.

Although the person responsible for maintaining security in an organization is the cornerstone of protection, security is ultimately everyone’s duty. If any one individual fails to maintain and adhere to security policies, then all computing systems and the viability of the organization are at risk.

Information security is a global, organization-wide problem that cannot be addressed with technology solutions alone. It requires the unconditional commitment of an organization at the financial, management, and operational levels to proactively secure and protect the organization’s logical and physical assets.

Security management will always require the proper balance between people, policies, processes, and technology to effectively mitigate the risks associated with today’s digitally connected business environment.

People and processes are finally becoming recognized as the greater focal point for risk management efforts as technology is acknowledged to be an enabler for achieving organizational objectives, not the solution.

For more information, go to the International Information Systems Security Certification Consortium web site.