New Studies Outline Framework For Cyber-Threat Countermeasures

As increasingly complex cyber-attacks become more commonplace, businesses and governments need to take on a comprehensive and methodical approach to keeping their data, infrastructure and other resources safe.

This advice, which follows on the heels of extensive coverage of the Stuxnet and Flame worms, comes from the Information Security Forum, which has just released two extensive reports aimed at helping its membership plan security strategy from now until 2014.

’Security has become a very major business issue where the required skill sets extend beyond technical capability, and we are now more focused on people skills and business knowledge,’ said Steve Durbin, global executive vice president of the ISF. ’We’re seeing an uptick in demands on these individuals because people are becoming more aware of cyber-terrorism, cyber-war and cyber-crime.’

[Related: Incremental Security Roll-Out May be Channel’s Best Bet ]

Durbin points to increased mobility, increased IT consumerization and high-profile breaches that have had a material impact on the bottom line of most organizations while at the same time raising awareness of the inherent risks. ’It goes beyond the technical component, and is moving more towards a business discussion,’ he said. ’There's much more emphasis on consultative guidance, which often expands the roles of channel partners and other groups trying to serve the customer.’

Durbin noted that protecting public infrastructure is becoming a much more important objective than ever before, due to the emergence of privately sponsored terrorism, state sponsored terrorism and even hacktivism. Most of this infrastructure was designed and built in a time when protection against such threats was something of minimal concern, or not a concern at all.

From an organizational standpoint, we need to be much more aware that cyberspace does present challenges that move us beyond pure information risk management toward a more strategic level of risk management

’These will require us to have the policies in place and the people in place and the resources in place to deal with such attacks, if they should transpire,’ Durbin said. ’So governance, risk strategy and response plans need to be ready to go. So even if we are not hit with a Stuxnet or a Flame today, there could be variants with which we’re not yet familiar. You don't even need to be a primary target, if you are linked to one of these organizations, you could get the infection as well.’

NEXT: The Response

Durbin advises organization to adopt a four-phased approach that begins with an evaluation of the organization’s business model, ascertaining the full range and relative severity of the threat landscape, assessing the relative value of your data and infrastructure with an eye towards what you can and can’t do without, and, finally, developing responses to the various risks and implementing those responses.

’The channel can be instrumental in helping with these things,’ he added. ’I think it's a balance of the customer asking the right questions combined with the partner being open and transparent about what they can and cannot do. The onus is on both sides.’

The ISF was instituted 23 years ago as a non-profit organization developed by companies that wanted to pool their resources and create a solid environment in which to discuss and study issues around security.