Option 1: Organizations will take the “diet pill” strategy
In the year 2017, organizations will be seen taking many shortcuts in the pursuit to do something with their security systems.
What most people don’t know is that the security program development process takes a time and is essentially process-based. The main purpose of a security program is to provide organized information for effective decision making.
The security program ensures to filter information from different sources. They know the information gathered isn’t perfect and that it requires going through inference, interpretation, and research to make it useful and instrumental in decision making. Even today, humans perform these functions of repeatable processes.
But, there is always diet pill salesman to take of these things that require energy and time to accomplish.
Throughout 2017, a diet pill strategy will be considered in security technologies for solving current states of information security. In spite of the great benefits that artificial intelligence can provide, the environment is still not ready to absorb it. Basically, the environment takes a lot of time to change within a modern organization.
The technologies have both value and merit. However, since they are emerging tools, they are to be used in a security program and cannot be left to operate on their own.
The scenario might change in the year 2027, but in 2017 artificial intelligence still, cannot be termed as effective as human decisions against repeatable and defined security program processes.
Humans always seek quick results. This will make many organizations fall for the diet pill. Many security programs will be developing in the near future and there will also be many companies to buy them in 2017.
Option 2: More expensive diet pill strategies like ISO 27001 will begin to lose favor
Some time back, ISO certifications were very much in trend. Organizations would obtain certifications for their security programs to make them look legitimate.
The companies would then hire consultants and would work on their ISO program for the multi-year certification. This trick worked for a while, but soon people realized that just having an ISO certificate doesn’t make a security program efficient.
Although these certification programs can improve information security capabilities in a corporation, the truth is that they are more focused to make you meet their requirements. These requirements are capable of hindering your organization’s capability of making an effective security system.
For instance, if you have a robust policy that aligns with ISO certification requirements, it doesn’t confirm that the policy would help in improving your security systems.
Moreover, organizations end up going through a lot of red tape and paperwork to obtain an ISO certificate. Companies have soon realized that these ISO certifications are pretty much like diet pills, which take a long time and essentially make your organization fatter.
There are in fact many companies who shy away from getting these certifications because the idea of up-front resourcing and the relentless effort to receive these certifications is off-putting.
These companies are in need of more time-appropriate solutions that have less impact on their front end while helping them in thwarting continuous attacks.
In my opinion, these experiences of different organizations will ultimately result in decreasing adoptions of these programs and frameworks compared to what we have seen in the past.
Option 3: Security Program Development will lead security initiative in most of the organizations
I truly believe that the year 2017 will be the year for security program development.
The programs focus on implementing 4 different functions in an organization:
- Setting a benchmark
- Measuring the security environment against the benchmark
- Taking issues and gaps identified in the measurement and presenting them to management to help them make informed decisions
- Supporting the implementation of the decisions that are made.
The situation has changed. Not only are people know acknowledging that they need an assessment, but organizations are now asking for security systems that can support their businesses rather than restraining them.
I think, this year 2017 will be a year of action and more organizations will realize the true meaning of security systems. Let’s hope for a great year ahead!
Need information on Security Program Development? Contact one of Information Security Experts.
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles