Editor’s note:The ISACA Now blog is looking ahead to 2024 with to-do lists from ISACA experts for professionals working in IT audit, risk management, information security, privacy and IT governance. 今天,桑迪普·戈德博尔分享了他2024年安全专业人员的待办事项清单. 查看ISACA提供的更多网络安全资源 here.
Around the new year, there is much discussion and anticipation among the cybersecurity community for what the future holds. The pace at which we continue to experience technological change leaves little time to prepare. The new year is not an inflection point where the change is concentrated; rather, 这种变化在一年中是间隔的. 然而,新的一年提醒我们要考虑未来. 这些沉思帮助我们理解将会发生什么, the extent of our preparedness and the prioritization of our security strategy.
Security risks, threats and malicious actors have been part of the connected technology world for a long time. 恶意行为者和安全团队的意图是一样的. 是恶意行为者的行为发生了变异, 建筑取决于技术的变化和环境的变化.
人工智能(AI)领域, 生成式人工智能应用的快速部署, the acceptance of cloud as the primary IT deployment fabric and the deployment of blockchain technology are among the more visible technology trends. 其中一些趋势还处于萌芽阶段,而另一些已经成熟. 超越技术进步, in 2023, political and strategic developments impacting the tech world also were significant. 世界上出现了军事侵略和国家间的冲突, and even nations at peace have witnessed a slew of legislation directed at data protection and IT infrastructure. These dynamics combine to impose a significant strain on the security community.
Many entities publish their annual technology trends and predictions around this time of the year, and this is also a time for security professionals to build their to-do lists for the new year. In my view, the security community can benefit by placing these five things on their 2024 to-do lists: build AI knowledge, 为云架构安全性, 将安全的焦点重新放在人的因素上, 构建安全治理,做好那些无聊的事情.
1. Build AI Knowledge
当今安全专业人士的流行词是AI(或GenAI)。. 许多组织正在经历应用程序的大量堆积, 利用某种形式的人工智能的实用程序和模型. As a security expert, you may be expected to or may have already been called upon to advise upon the security of such solutions. While security architects contributing to specific solutions need a deeper understanding of the AI solution being integrated, 所有的安全专业人员都需要对 与人工智能相关的安全方面. This requires an understanding of AI and the ability to review the AI aspects relevant to the implementation, 包括解决方案架构, security controls, data protection, 以及非技术方面, such as contracts.
2. 云架构安全
Cloud computing is no longer a novelty since most services have been offered for over a decade. However, the surge in cloud adoption and variety of services make it important for security professionals to guide on the architectural aspects related to cloud deployment. 基于云服务的性质, security professionals have a role to play in either architecting or driving implementation of security controls related to data protection, protecting data flows, user management controls, detection and response, 服务结束义务, etc. 服务提供者可能提供安全监视接口和实用程序. 安全团队可以通过最大限度地利用这一点来提供支持.
3. 重新将安全重点放在人的因素上
这是一个永远不会过时的优先事项. New technology brings new risks and new attack vectors, and many of them target users. 从用户角度看, it is important to appreciate that there are too many things that they need to address from a security perspective, 而且这个名单不是一成不变的. For example, user awareness related to keeping passwords secret was relevant since the mainframe days, and since then, there is more that has been added along the way with newer services and products. Cloud-based source code management systems require expertise to ensure safe usage and to avoid code credential embedding.
More generally, elements related to user security awareness need to be regularly revised. 安全事件分析, 以及采用新技术的计划, can help to identify additional areas relevant to the human element in security.
4. Build Security Governance
工作在一个动态的环境中,工具, processes, 风险和优先级的不断变化不是一件容易的事. The diversity related to the risks, tools and controls create governance challenges. 适当的安全治理支持对齐, 多个安全方面的集成和管理. 安全治理需要组织, at various levels, to review, 评估并引导组织达到适当的安全级别. Ensuring that technological changes are addressed as part of the governance scope is very important. 安全专业人员,利用相关框架,如 COBIT在这个过程中扮演着重要的角色.
5. 把无聊的事情做好
In the new year, don’t let all of the new trends and technologies distract you from the fundamentals. Novelty always attracts interest, and routine activities rarely make heads turn. However, basic security controls are of the greatest importance when securing any organization. 无论采用何种技术,做好基础工作都是至关重要的. 数据分类等控制, encryption, 多因素身份验证, endpoint detection, 云安全相关解决方案, external agency security scores and organization-specific darknet intelligence go a long way in protecting the organization. 不管是什么技术, basic security controls retain their importance in protecting the organization.
Different organizations will have different priorities and different risk profiles. The above discussion provides inputs that can be considered applicable to various organizations. 保安专业人士, alignment to organizational priorities and activities yield the best value and lead to effective risk management. Understanding technology trends and the current security environment helps to deliver optimal security risk management. The new year, 2024, 对于安全专业人员来说,这将是一个令人兴奋的消息, 我相信你会喜欢这次旅行的.
