The constantly changing threat landscape also requires CIOs and CISOs to abandon the traditional way of looking at security: no longer can they only stress the difference between living inside the secured zone and keeping threats at bay outside the boundary. "If you're still dealing with perimeters, 'demilitarised zones' and firewalls alone, thinking there's [a secured] inside and [unprotected] outside, you may not have the level of security to face off a lot of new technologies from attackers," Chng cautioned.
Although there are many new security solutions that can meet these new threats, Chng also said that not all could be applicable to one's organisation. "Security is not just about getting the job done. In fact, the gap between what information security functions are doing and should be doing has widened," he said. The survey report showed that information security is not getting the job done: only 16 percent of respondents indicated that their function fully met their needs, while 70 percent said that the function only partially met their needs.
"There is disconnect between the CIO and the rest of the C-suite executives. Business doesn't think IT is doing what they're supposed to, but IT thinks otherwise. [IT people] think they are doing a fair share of the job. It's really about alignment from IT to business, within IT, and security, to IT."
There's no denying that incidents and threats are on the rise—whether the number of attacks has been increasing, or the ability to detect such an attack is increasing. Referring to the survey report, Chng said that 31 percent of respondents saw increases in security incidents, and only 10 percent saw a decrease in 2009, while some 41 percent saw an increase in external attacks. In 2012, that number rose to 77 percent.
Response to cloud-related risks had been slow: In 2010 only 30 percent indicated they were currently using or planned to use cloud computing services. By 2012, the number doubled. Yet, 38 percent indicated that they had not taken any measures to address cloud-related risks.
Chng said: "There are two schools of thought regarding cloud: if you're in a regulated industry, probably the mandate is, 'no cloud'. that's what the regulators say. The other school of thought is, cloud is one of those technologies that none can afford to ignore. It is a business model that will gradually have its place in the organisation. It levels the whole playing field for small companies. It will allow small companies to have the same compute power, bandwidth and storage as large organisations have."
Chng further added that cloud security standards will also be emerging and maturing, such as those put forth by the Cloud Security Alliance.
Sign up for MIS Asia eNewsletters.