Documente Academic
Documente Profesional
Documente Cultură
any delays and issues caused by the current global shortage of IPv4 addresses.
Some of your things may require access
from the Internet or from third parties
networks. Dont let a lack of routable IP
address space hamper your IoT implementation.
To prevent network teams from becoming overwhelmed as greater numbers of
more varied devices join the IoT, consideration should also be given to network
control and automation systems, which
can help tackle the inevitable increase in
time-consuming manual tasks such as IP
address management which are caused by
an exponential increase in the number of
devices on the network.
The Internet of Things represents
myriad new and exciting opportunities,
many of which are yet to be considered. But the IoT relies on networks,
References
1. Forecast: The Internet of Things,
Worldwide, 2013. Gartner, 18 Nov
2013. Accessed Mar 2015. www.
gartner.com/doc/2625419/forecastInternet-things-worldwide-.
2. Greenberg, Andy. Watch this wireless hack pop a cars locks in minutes. Wired, 4 Aug 2014. Accessed
Mar 2015. www.wired.com/2014/08/
wireless-car-hack/.
3. Miessler, Daniel. HP Study Reveals
70% of Internet of Things Devices
Vulnerable to Attack. HP, 29 Jul
2014. Accessed Mar 2015. http://
h30499.www3.hp.com/t5/FortifyApplication-Security/HP-StudyReveals-70-Percent-of-Internet-ofThings-Devices/ba-p/6556284#.UMHFVZrz62d.
Cath Everett
ture, this situation simply isnt happening, mainly because professionals are
regarded primarily as techies.
According to a 2014 survey undertaken on behalf of malware protection
software vendor, ThreatTrack Security,
just over two-thirds of the 203 C-level
executives questioned felt that their chief
information security officer (CISO) colleagues failed to have a sound grasp of
FEATURE
to be accountable for any organisational
data breaches (44%).
Language barrier
Another issue is that the profession is
comparatively young, having only been
in existence for the past 30 years or so.
This means that the current generation of
practitioners often started their careers as
hobbyists, but found that they were able
to make a living doing what they enjoyed.
The opportunity to follow a more structured, formal career path associated with
professions such as lawyers or accountants
was simply not open to them.
A key challenge as a result, says
Gillespie, is the language barrier that
often exists between them and senior
business leaders. Its a combination of
infosec people not speaking business and
the business not speaking techie, so they
just dont understand each other, he
explains.
An unlikely ally
Although such insurance may have been
around for at least a decade in the guise of
general liability or business interruption
policies, it is only over the past 18 months
or so that it has started to appear in the
form of separate, dedicated products.
The creation of this specialist market
has been sparked, of course, by the high
level of well-publicised, and costly, megaincidents that have taken place lately,
leading to insurance companies spotting a
gap in the market and deciding to fill it.
And, interestingly, among the large organisations that PwC spoke to in its study,
around 51% had already bought into the
idea and made some kind of purchase, up
from 45% the previous year.
In fact, so popular is it proving that
Juergen Weiss, managing vice president of
Gartners industry research group, valued
the total market at around $1.7 billion in
2014. He is also forecasting growth rates
in the double digits although he puts
current penetration levels at more like
25-35% with the US being the largest
market by far as a result of its data breach
notification laws, which have been enacted in all but three of its 50 states.
17
FEATURE
The average total organisational cost of a data breach over two years. Source: Ponemon Institute/IBM.
Immature market
The most likely sectors to put their hands
in their pockets and buy cyber-security
insurance today, meanwhile, are aerospace
and defence, automotive, pharmaceuticals, utilities and financial services.
But a key concern at the moment is
that the market is far from mature. A big
problem here is the lack of clear standards for defining information security
risk in an insurance context. This means
that too many insurers offer one-sizefits-all policies based on information
Missing a trick
But even if they do ask, it appears that
many practitioners are cynical about the
value of such cover anyway as, despite the
April 2015
FEATURE
high cost of dealing with breaches, they
fail to understand why it is necessary.
According to a poll conducted at the
Infosecurity Europe show last year, for
instance, more than two-thirds claimed
that their organisation did have some
form of cyber liability insurance in place.
On the other hand, 63% professed
themselves sceptical that insurers would
pay out if they were hit.
The problem in taking such a stance,
however, is that infosec professionals
could be missing a trick. The issue is
that, as the insurance industry continues to ramp up the amount of noise it
makes about its new cyber-baby over the
year ahead, brokers will inevitably start
raising the matter with whomever looks
after the insurance portfolio. The portfolio holder, in turn, may well give their
head of security a visit to find out more,
putting them on the back foot if they
know very little about it.
April 2015
and how its being mitigated and insurers want to know that too.
Becoming an influencer
While Hare-Brown does not think that
practitioners are likely to become the
purchasing decision-makers any time
soon, he does see them playing a key
role as influencers.
But Im worried that, unless they pick
up the baton, they wont even be that and
the FD will just buy something and not
even ask them about it, which wouldnt
be good, he says. Its quite vital that
information security is involved as they
understand the risk to the organisation
19
FEATURE/CALENDAR
...Continued from page 19
Insurance is a useful tool in the
toolkit. Everyone can see the reasons
for having it, but it cant be at the cost
of ensuring that you have good quality
processes, policies and controls in place,
he says. The danger is that people buy
the premium and forget to do the foundation work, but unfortunately, on its
own, insurance is just a waste of money.
Gartners Weiss agrees. I think it is
worth looking at insurance if you treat
risk management from an holistic perspective by examining the risk of occurrence versus impact, he says. But in no
way should it replace good risk management its really just a complementary
addition.
Cath Everett has been an editor and journalist for more than 20 years, specialising in
information security, employment, skills and
all things HR. She has worked in the online
world since 1996, but also has extensive
...Continued from page 3
States, he said. This order formalises
the administrations ability to use these
tools, as the US has done in the past
with other types of criminal activity.
He added that the order expands
the US Governments options when
responding to attacks, but that the
potential response by other nations is
less clear. If the administration actually
exercises these economic options, well
experience previously unknown political friction between major countries.
The most obvious targets of concern are
Russia and China, but the world is economically and technologically interconnected in complex ways that make the
consequences hard to predict. Spheres
of economic influence are broader than
geographic borders. Changes in how we
respond as a country to cyber-attack will
push the difficulties in accurate attribution to the forefront. The US will have
to be very, very sure of the perpetrator
before pulling the economic trigger.
Corey Thomas, president and CEO of
Rapid7, also believes that the effectiveness of the new approach remains to be
20
References
1. No Respect: Chief Information
Security Officers Misunderstood and
Underappreciated by Their C-Level
Peers. ThreatTrack Security, 2014.
Accessed Mar 2015. www.threattracksecurity.com/resources/whitepapers/chief-information-securityofficers-misunderstood.aspx.
2. Global State of Information Security
Survey. PwC. Accessed Mar 2015.
www.pwc.com/gx/en/consultingservices/information-security-survey/.
3. 2014 Cost of Data Breach Report.
Ponemon Institute/IBM. Accessed
Mar 2015. http://www-935.ibm.
com/services/us/en/it-services/security-services/cost-of-data-breach/.
EVENTS
24 June 2015
Infosecurity Europe
Olympia, London, UK
www.infosecurityeurope.com
23 June 2015
Infosecurity Intelligent
Defence
Olympia, London, UK
www.infosecurityeurope.com/
intelligentdefence
16 August 2015
Black Hat USA
Las Vegas, US
www.blackhat.com
29 September 2015
Government IT Security
& Risk Management
London, UK
www.whitehallmedia.co.uk/govsec
April 2015