Convey the integral role that knowledge, data, information, and intelligence play (provide appropriate details and examples for each of these) not only in providing security as a whole, but how they are utilized in business continuity management efforts as well. Also, what future issues will have a direct impact on these topics as well and how should they be approached? 6 pages needed
The Future of the Security
When considering what awaits the security profession in the years to come and those that will operate within it, developments and forecasts related to security science will in large part be impacted by what has occurred in the past and in present day. What might occur, what is most plausible and feasible given current and expected occurrences, and what has proven to be effective (or not) will all need to be considered in determining those issues that will remain relevant or change. So predicting the future (not in the form of Nostradamus or similar prophets) as it relates to security is a technique that considers probable or desirable outcomes in the face of known or anticipated risks. So given this backdrop, where is security heading?
As long as there are structures that people operate within and house various assets, there will continue to be a need to offer needed protection related to them. All of the topics discussed in this course related to walls, fencing, sensors, alarm systems, guards, locks, and other such issues will be needed in some form or fashion. Whether through manual or technological means, these will remain a constant for the security administrator in providing appropriate defensive measures for the material, tangible assets they oversee. Concerning technology, the same trend will continue in serving as a needed aid in providing security moving forward. Mobile devices of various types, functions, capabilities, and their ability to access data, the ever-increasing use of robotics and the functions they can carry out, sensors that will be able to gain more intelligence regarding detection, and high frequency security cameras that will have the capability to verify the chemical compound of an object at a distance are just some of the many technical innovations on the horizon. Yet, just as technology has taken on a greater role in providing these efforts, so too does technology represent ever-increasing concerns to the security manager.
As society becomes connected on an ever-increasing basis, attention must be directed towards what implications this environment has related to not only security, but related privacy concerns as well. In Future Scenarios and Challenges for Security and Privacy (2016, Williams, Axon, Nurse, & Creese), the researchers took a very methodical approach in considering some 30 predictions obtained from a variety of organizations and disciplines; consolidating them into ten defined scenarios. These scenarios took into consideration a range of not only technological possibilities that might occur over the next decade, but those that represented commercial and political ramifications as well. A brief overview will be provided regarding these various situations:
- Growth of the Internet-of-Things. The Internet-of-Things will permeate all aspects of daily life moving forward, making the lines between the physical and virtual worlds less defined. Unfortunately, this only lends itself to increased online risks and related threats and attacks.
- Proliferation of offensive tools. Although all public or private sector entities will not find themselves targeted by nation-states or other forms of government, the capabilities represented by a variety of simple attack tools can place individuals and organizations alike under the pervasive risk of identity theft.
- Privacy becomes reinterpreted. As it is with many issues, the overall concept of privacy can be viewed and defined differently. Nowhere is this more evident than in those labeled as “digital natives,” individuals who have been raised in an age of unfettered Internet access and increased use (and dependence) of social networking. Although the development and use of these platforms has become commonplace and offer a host of benefits, they can be seen as invasive and present a number of risks and concerns regarding confidentiality.
- Repressive enforcement of online order. Issues related to free speech have and will continue to have an impact on security; where liberal versus what might be seen as repressive approaches regarding online activity are taken. Issues regarding surveillance, censorship, and regulations not only have the potential to impact attacks that are carried out in the cyber operating environment, but could inadvertently affect commerce and free enterprise as well.
- Heterogeneity of state postures. An environment made up of dissimilar or diverse elements can certainly be a positive in many ways. However, when there is a great disparity in how Personally Identifiable Information (PII) is defined, cooperation over cyber norms could be negatively impacted. This would generally be seen at the uppermost levels where certain governments may decline to prosecute their cyber criminals; where working relationships would no doubt be impacted. However, even in corporate America, this could be seen as well to varying degrees.
- Traditional business models under pressure. Each and every day, it seems that the landscape the overall business community, associated operating frameworks, and issues related to intellectual property are all impacted by not only competitors, but those that would wish to do them harm through nefarious means. Although financial capital, ingenuity, and innovation will remain in high demand, “the evolution of new business models would see individuals’ personal data become the most valuable commodity (2016, p. 3). As such data resides in global repositories on an ever increasing basis, associated security concerns will also increase.
- Big data enables greater control. There is really nothing new with manipulating data in order to produce a desired outcome (as can be in every election cycle related to polls), but the amount of data that will continue to be accessible moving forward will have a great impact on how an individual’s behavior might be managed by both corporations and government. Such analysis could be utilized to customize everything from advertisements to campaigns, but straying away from these types of activities must be viewed with suspicion and appropriately guarded against.
- Growth of public-private partnerships. It should come as no surprise that as the amount of information submitted, stored, and retrieved about individuals increase, that it would be shared between various entities as well. However, even though the sharing of data between those within the public and private sectors can offer a number of advantages, the risk of confidentiality being violated as the spectrum of these partnerships increase as well.
- Citizens demand greater control. The demand for transparency has become commonplace in our world today, especially as it relates to those who hold elected office. Yet the same demands and expectations by members of the public regarding personal data held online will require appropriate approaches and policies.
- Organizations value cyber-resilience. As more activities are carried out within the virtual environment, it becomes increasingly important for organizations to be resilient in the face of attacks on it. These can come as a result activities carried out by external perpetrators, but insider threats but also be considered. Also, those known as “Advanced Persistent Threats” can especially wreak havoc and must be guarded against. This is where an attack is carried out on an entire network by unauthorized personnel and remains there undetected for a long period of time.
After offering insight regarding each of these issues, the researchers turned their attention to what challenges await professionals in regards to both security and privacy in light of current practices. It was noted that a number of gaps can be found in existing guidelines; those that will prove insufficient in addressing the level to which technology permeates daily life. At its core, a fundamental understanding of online presence and protection of it is needed at the individual level. Likewise, organizations and the documents that have been developed to offer needed guidance would appear to fall short in relation to many of these issues noted. For instance, current recommendations do offer protection against certain risks as long as applicable devices are identified, inventoried, and monitored. Yet as it relates to the Internet-of-Things, it is expected that many of these devices will be personally owned; incorporated as part of their clothing or implanted. Therefore, accounting for each of them would simply not be feasible. So much work needs to be done in the areas of research and development, education and training, and the accompanying policies and guidance needed to enact and govern appropriate security measures.
The Security Professional of the Future
Based upon what has been discussed thus far, a rather dismal picture has been painted moving forward regarding the myriad of threats organizations will face and how to properly protect against them; especially related to technology. Yet as noted in the report Securing Our Future: Cybersecurity and the Millennial Workforce, the following concluding remarks are offered. “Cyber risks are likely to grow more pervasive and complex as technology becomes more ingrained in today’s lifestyle. However, this doesn’t mean the cause is lost — not even close. An increased cyber talent pool and efforts by governments, businesses and employees to practice safe-cyber activities can still lead to a safer online world for everyone” (2017, p. 16). It is obvious from this quote that a concerted, coordinated effort will be needed, and the security professional is an integral part of that broad-based initiative.
So what elements defined and support the security professional, and what elements were most assist the drive to the security professional? These are the two primary questions posed and addressed within the document Defining the Security Professional: Definition through a Body of Knowledge. Although conducted and published in 2010, I feel it still offers great insight regarding not only how the overall role of security has evolved in a way that incorporates a variety of disciplines and competencies, but seeks to move forward with a degree of certainty in the midst of an oftentimes ambiguous world. As we have noted throughout this study, security is far from being single dimensional in nature. This is evident in the fact that a single definition for security and all that it represents remains elusive; simply because it contains so many different facets. It has been stated that there are four key internal drivers of security, and those have been identified as criminology, risk, terrorism, and management (Borodzicz & Gibson, 2006). We have touched upon each of these throughout the preceding weeks, so they remain valid and will continue to impact the direction the overall profession of security takes in the future. Therefore, what steps must be taken on the road to professionalism? Let us now turn our attention there.
Education and Training
As it relates to any profession, there are certain characteristics that apply to all of them, and security certainly would be included as well. These include the workforce that is educated, and underline infrastructure that is mature to the degree that it is self-regulating, has leadership that is proactive in nature and recognizes its responsibility to all within the security sector as a whole, is proactive in nature in developing and conveying a vision for the future, as well as ensuring that a competent workforce is maintained. Yet what makes the security industry somewhat unique is that it is actually a mixture of a host of different disciplines that must work together in a defined and coordinated manner. Yet through it all, the greatest benefits will be derived from a workforce that is highly educated; advantages that will be realized by security professionals and clients alike. These include a higher-level of service being provided to consumers of security services, the fact that all levels of training and education represent the most cost-effective solution in meeting customer’s needs, the management and technical skills needed “out in the field” will be enhanced, and a standardized approach regarding procedures and techniques will be attained through broad-based education as well. There are various avenues in which such learning and instruction can be attained, and ASIS International is one such example. ASIS is a professional organization focused upon the needs of security professionals and offers various certifications, standards, and guidelines for the security profession as a whole. As it relates to education, a number of options are provided to the security professional that allows them to build their base of knowledge, skills, and expertise at any stage of their career; both online and within the classroom. This serves as but one of many options that are currently available, and stresses the importance of professional development as a whole, as well as building of, maintaining, and sharing a robust body of knowledge.
Ethical considerations are also at the heart of any recognized profession, and security cannot be any different. This should be stressed and receive appropriate attention by any organization, association, etc. associated with the educating, training, and certifying of those within the security industry. For instance, the previously mentioned ASIS offers the following on their website:
Aware that the quality of professional security activity ultimately depends upon the willingness of practitioners to observe special standards of conduct and to manifest good faith in professional relationships, ASIS adopts the following Code of Ethics and mandates its conscientious observance as a binding condition of membership in or affiliation with ASIS.
Details are then provided regarding how members shall perform professional duties in accordance with the law and highest moral principles, observe the principles of truthfulness, honesty, and integrity, shall be diligent in carrying out their professional responsibilities and do so in a competent manner, shall take needed steps to protect confidential information, and shall not maliciously harm the reputation of any colleague, client, or employer. Yet in the ever-changing landscape of providing security in the face of mounting threats, especially related to technology, it has been determined that a stressful situation can cause individuals to perform in an unscrupulous manner. This was the focal point of an article entitled Do ethics get in the way of security professionals?, where the author noted that a distinct increase in data breaches and an overabundance of successful cyber attacks may produce less than enviable responses and actions. In a study that was conducted at a security conference related to this issue, it was found that 20% of respondents have witnessed a company hide or cover up a breach, and that such security breaches are oftentimes used as leverage to increase security budgets (Zorz, 2015). Considering the fact that information technology security is somewhat in its infancy, it has been thrust into the spotlight from a number of different sources, whether they are political or business in nature, or related to the media. Unfortunately, such pressure and attention can often lead to the cutting of corners in order to meet expectations and demands. This only highlights the need to be attentive to this component of the security profession and the manner in which the various individuals operating within it understand their individual and collective responsibilities.
In this final lesson, we have but scratched the surface regarding what awaits the security industry moving forward in regards to threats and hazards that may be looming on the horizon, as well as the industry itself and what is needed to make it the respected and animal profession it truly is. The student is encouraged to build upon what has been offered here through various avenues. These include conducting your own research regarding the topics that have been addressed, becoming a member of a recognized organization within the overall security industry, attending related conferences and other such opportunities to not only build upon your base of knowledge and technical expertise, but expanding your professional network as well. The future is one that promises to be both challenging and exciting for the security administrator; offering a host of opportunities to take advantage of.
Code of Ethics. (n.d.) ASIS International. Retrieved from https://admin.asisonline.org/About-ASIS/Pages/Code-of-Ethics.aspx
Borodzicz, E. P., & Gibson, S. D. (2006). Corporate security education: Towards meeting the challenge. Security Journal, 19(3), 180-195.
Griffith, M., Brooks, D.J., & Corkill, L. (2010). Defining the security professional: Definition through a body of knowledge. Paper presented at the Proceedings of the 3rd Australian Security and Intelligence Conference, Perth, Western Australia. Retrieved from http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1004&context=asi
Securing Our Future: Cybersecurity and the Millennial Workforce. (2017). Raytheon. Retrieved from https://www.raytheon.com/sites/default/files/2017-12/2017_cyber_report_rev1.pdf
Smith, C., & Brooks, D. J. (2012). Security science: The theory and practice of security. Burlington: Butterworth-Heinemann
Williams, M., Axon, L. Nurse, J. & Creese, S. (2016). Future scenarios and challenges for security and privacy. Department of Computer Science, University of Oxford. Retrieved from https://www.cs.ox.ac.uk/files/8337/2016-rtsi-wanc.pdf
Zorz, M. (2015). Do ethics get in the way of security professionals? Help Net Security. Retrieved from https://www.helpnetsecurity.com/2015/05/13/do-ethics-get-in-the-way-of-security-professionals/