As the latest technology trends work their way into the business sphere, company data becomes susceptible to an increasing number of unknown threats. SearchCompliance asked five 2013 ISSA International Conference speakers what technology risk or trend they think poses the greatest security threat to corporations.
According to these experts, there are a number of technology risks that CISOs and other security professionals should have on their radar, including the increase in mobile technology, cloud implementation and big data. Watch the video or read the transcript below to learn whether your organization is at risk for a breach as it embraces the latest technology trends.
Jay Leek, CISO, The Blackstone Group LP: There are three distinct things happening right now in organizations that have been happening for some time. But I think we're at the tip of the iceberg, because this trifecta is coming together in a way that I think I don't understand. Very few -- if any -- of us understand what's happening.
The first one is mobile security. Everybody wants to be mobile, working from home. We all have multiple mobile devices. The second thing is data. Everybody wants access to their data anywhere, anytime. And what did I already say? They're mobile, so they want access to data on their mobile devices. The third thing is that a 22-year-old analyst who works in finance is a smarter IT person than many of those in the organization's IT department. He is the guy, or she's the person, who has the mobile device, who wants access to the data, who knows, "If I can't get access to the data, I'm smart enough to figure out how to get access to that data."
This is a trifecta that we treat as a security awareness program, as a data security program and as [a] mobile security program. We don't treat it as one common program. These three things are coming together; they've been coming together. I don't know where it's going over the next three to five years, but it's only going to get more significant. I think this is something that we're going to be challenged and faced with trying to solve this issue in a way that we haven't even thought about.
Eric Cowperthwaite, vice president of advanced security and strategy, Core Security Inc.: The stock answer is probably something along the lines of consumer IT or BYOD [bring your own device]. I'm not convinced of that, though. When we look at the events that are happening around us, what hits the news and the people who are being exploited and attacked, what we see is still very basic stuff.
The information we've gotten so far on the Adobe attack is that there was a ColdFusion vulnerability that had been understood and known for about six or seven months, and that was exploited. It wasn't something brand new and fancy, like someone with an iPhone that a bad guy figured out how to hack into and then get into the network. It was still the same old basic stuff.
The real answer here is not that there's new technology introducing problems, but that we haven't solved the basic problems in the first place. Until we solve those, we can't really worry about iPhones, in my opinion.
Evan Davison, security architect, Barling Bay LLC: Personally, I think it's this deferment of internal services to the cloud, where organizations are trying to save money on hardware or in-house expertise by pushing their services out to third-party organizations, whether it be cloud hosting providers, Office 365, Gmail or any of those types of services. While in some instances they do provide a higher level of security than some organizations can provide for themselves, most organizations do not realize the risk they're presenting themselves to with that exposure to data. Some of the organizations that [companies] entrust their data to might expose that information to other people. In some instances, [third-party organizations] may even expose companies' intellectual property, or their ability to maintain rights or control over that data from a legal sense.
In my opinion, you can never fully trust a third-party any more than you're willing to, but some CSOs are really choosing to trust these third-party providers a lot more than they should.
Elliott Franklin, information security manager, Whataburger Restaurants LLC: I'm sure it's a common response, but for us we're seeing that bring your own device really is [opening organization up to more technology risk]. Ultimately, it's about protecting the data. BYOD is a way for the data to leave the organization, and we may not know that if we don't have any control over those devices when they come in. How do we build the trust of our employees to bring in their device, then let us install some of our software on their personal devices that would allow us to have some control of their mobile device? Can I install something on your computer so that I can control the data on it even though you own it and it's your personal computer? Then if I break it, what happens with that software?
I certainly think BYOD continues to [open organizations up to risk], but it's ultimately the data. Cloud is the same challenge because, once the data goes to the cloud, I don't control it. Between those two, protecting the data is ultimately the key, but those are certainly going to be continuing challenges.
Eugene Spafford, professor of computer science, Purdue University: Well, I think there are multiple technologies [opening organizations up to more technology risk and threats] as we move forward, and that's always been the case with the introduction of new technologies. The market moves those technologies before thinking about the impact on not only security, but on privacy as well. With big data, there are certainly some security issues, but also privacy and how information is combined and mined.
More from ISSA experts
Jay Leek talks visibility
Cybersecurity tweet jam featuring Elliot Franklin
Robert Bigman discusses computer privacy
The move towards cloud storage has all kinds of vulnerabilities associated with it that most people haven't thought of. They will move to the cloud and they will save money, but they don't think about where the data is located. What are the laws and the jurisdiction over that? How are those systems actually protected?
The newest technologies that I see at risk, and they're not necessarily new technologies, involve distributed sensors of various kinds, i.e., cameras and sensors of all sorts that are on the Internet and that therefore can be used for information tracking, finding information that is untended by whoever put them out there.
Then there is also this trend towards increased mobile computing. In regards to the ads that are appearing now for the cell phone in the watch, where is the thought given to what happens when these smart devices on our belts or our wrists are broken, lost or stolen, and all the information on them is either gone or in somebody else's hands? Those kinds of issues don't seem to be addressed by the vendors of those items or in the press coverage of their introduction. That's a problem for the end user because they're not in a position to think about it, either.