编者按:The ISACA Now blog is looking ahead to 2024 with to-do lists from ISACA experts for professionals working in IT audit, 风险管理, 信息安全, 隐私和IT治理. 今天,桑迪普·戈德博尔分享了他2024年安全专业人员的待办事项清单. 查看ISACA提供的更多网络安全资源 在这里.
在新年前后, t在这里 is much discussion and anticipation among the cybersecurity community for what the future holds. The pace at which we continue to experience technological change leaves little time to prepare. 新的一年 is not an inflection point w在这里 the change is concentrated; rather, 这种变化在一年中是间隔的. 然而,新的一年提醒我们要考虑未来. 这些沉思帮助我们理解将会发生什么, the extent of our preparedness and the prioritization of our security strategy.
安全风险, threats and malicious actors have been part of the connected technology world for a long time. 恶意行为者和安全团队的意图是一样的. 是恶意行为者的行为发生了变异, 建筑取决于技术的变化和环境的变化.
人工智能(AI)领域, 生成式人工智能应用的快速部署, the acceptance of cloud as the primary IT deployment fabric and the deployment of blockchain technology are among the more visible technology trends. 其中一些趋势还处于萌芽阶段,而另一些已经成熟. 超越技术进步, in 2023, political and strategic developments impacting the tech world also were significant. 世界上出现了军事侵略和国家间的冲突, and even nations at peace have witnessed a slew of legislation directed at 数据保护 and IT infrastructure. These dynamics combine to impose a significant strain on the security community.
Many entities publish their annual technology trends and predictions around this time of the year, and this is also a time for security professionals to build their to-do lists for the new year. 在我看来, the security community can benefit by placing these five things on their 2024 to-do lists: build AI knowledge, 为云架构安全性, 将安全的焦点重新放在人的因素上, 构建安全治理,做好那些无聊的事情.
1. 构建AI知识
当今安全专业人士的流行词是AI(或GenAI)。. 许多组织正在经历应用程序的大量堆积, 利用某种形式的人工智能的实用程序和模型. 作为安全专家, you may be expected to or may have already been called upon to advise upon the security of such solutions. While security architects contributing to specific solutions need a deeper understanding of the AI solution being integrated, 所有的安全专业人员都需要对 与人工智能相关的安全方面. This requires an understanding of AI and the ability 回顾 the AI aspects relevant to the implementation, 包括解决方案架构, 安全控制, 数据保护, 以及非技术方面, 比如合同.
2. 云架构安全
Cloud computing is no longer a novelty since most services have been offered for over a decade. 然而, the surge in cloud adoption and variety of services make it important for security professionals to guide on the architectural aspects related to cloud deployment. 基于云服务的性质, security professionals have a role to play in either architecting or driving implementation of 安全控制 related to 数据保护, 保护数据流, 用户管理控制, 检测和响应, 服务结束义务, 等. 服务提供者可能提供安全监视接口和实用程序. 安全团队可以通过最大限度地利用这一点来提供支持.
3. 重新将安全重点放在人的因素上
这是一个永远不会过时的优先事项. New technology brings new risks and new attack vectors, and many of them target users. 从用户角度看, it is important to appreciate that t在这里 are too many things that they need to address from a security perspective, 而且这个名单不是一成不变的. 例如, user awareness related to keeping passwords secret was relevant since the mainframe days, 从那时起, t在这里 is more that has been added along the way with newer services and products. Cloud-based source code management systems require expertise to ensure safe usage and to avoid code credential embedding.
More generally, elements related to user security awareness need to be regularly revised. 安全事件分析, 以及采用新技术的计划, can help to identify additional areas relevant to the human element in security.
4. 构建安全治理
工作在一个动态的环境中,工具, 流程, 风险和优先级的不断变化不是一件容易的事. The diversity related to the risks, tools and controls create governance challenges. 适当的安全治理支持对齐, 多个安全方面的集成和管理. 安全治理需要组织, 在不同的层次上, 回顾, 评估并引导组织达到适当的安全级别. Ensuring that technological changes are addressed as part of the governance scope is very important. 安全专业人员,利用相关框架,如 COBIT在这个过程中扮演着重要的角色.
5. 把无聊的事情做好
In the new year, don’t let all of the new trends and technologies distract you from the fundamentals. Novelty always attracts interest, and routine activities rarely make heads turn. 然而, basic 安全控制 are of the greatest importance when securing any organization. 无论采用何种技术,做好基础工作都是至关重要的. 数据分类等控制, 加密, 多因素身份验证, 端点检测, 云安全相关解决方案, external agency security scores and organization-specific darknet intelligence go a long way in protecting the organization. 不管是什么技术, basic 安全控制 retain their importance in protecting the organization.
Different organizations will have different priorities and different risk profiles. The above discussion provides inputs that can be considered applicable to various organizations. 保安专业人士, alignment to organizational priorities and activities yield the best value and lead to effective 风险管理. Understanding technology trends and the current security environment helps to deliver optimal security 风险管理. 新的一年, 2024, 对于安全专业人员来说,这将是一个令人兴奋的消息, 我相信你会喜欢这次旅行的.
