As January 2017 has come to a close, the year is still new. Here are a handful of perspectives from InfoSec Compliance experts about what they see happening in 2017.
Magen Wu Senior Consultant – Rapid7
2017 will be all about taking all of the data that we collect—be it logs, alerts, vulnerability scanning results, or security audit reports—and using it to create a holistic view of what our organizations look like from a security perspective. Additionally, security professionals and IT need to work together in order to be proactive about gathering, interpreting, and taking action on the data collected from their environments. Organizations’ IT environments have become too complex for IT and security professionals to remain isolated – clear, transparent communication will be the key to successful programs – on both sides of the house – as the lines between enterprise and personal devices continues to blur and IoT increasingly becomes a fact of life – and the corporate network.
Kevin Berman GRC Strategy and Enablement – Edgile
In today’s InfoSec day and age the digital world is only getting smarter. We are past the times where information sitting within internal firewalls are the Crown Jewels of data protection. The swift change in the paradigm to the connected network has game changed how we need to think about threats and vulnerabilities – both internal and external – to our organizations. The Internet of Things (IoT) has game changed the way we need to grasp InfoSec going forward by closing the gap on just how close a breach can be to a consumer, customer, patient, and otherwise end user of a connected device. The risks are real, they are tangible, and in some cases they can be life and death. Internet of Things is a necessary evil in today’s InfoSec day and age, the real question is are you ready for it?
David Kidd VP of Governance, Risk and Compliance – Peak 10
The two big stories in 2016 were the rise of both state sponsored hacking and ransomware. In both cases the fundamentals of information security can help protect businesses. Keeping operating systems and anti-virus software updated, maintaining good security awareness training with employees and keeping reliable backups can help ensure the confidentiality, integrity, and availability of critical systems and data.
David Ponder Partner & Principal – GRCential
In 2017, we expect to continue to see the question, “Given our limited resources, how do we know we’re focusing on the right risks?” At GRCential, we emphasize the difference between compliance and risk, and the necessity for management efforts for each. Compliance with regulatory requirements seems to always be a high priority and therefore is easier for leadership to grasp. Failure to comply equals fines and other negative consequences. But understanding true risk management within the organization is more complex. It can be a struggle for those same leaders to comprehend how risk should be identified, measured, and addressed as part of strategic decision making. Solidifying leadership’s understanding of true risk and the similarities, differences, and relationship between risk and compliance will be all the more crucial if the expected shifts in the regulatory landscape in 2017 materialize.