"It doesn't matter what line of business you're in. We all have supply chains," he adds. "The challenge we face is how do we really know where our information is at each and every stage of the lifecycle? How do we protect the integrity of that information as it's being shared?"
In 2018, organizations will need to focus on the weakest spots in their supply chains, the ISF says. While not every security compromise can be prevented ahead of time, you and your suppliers will have to be proactive. Durbin recommends adopting strong, scalable and repeatable processes with assurance proportional to the risk faced. Organizations must embed supply chain information risk management within existing procurement and vendor management processes.
Regulation adds complexity, and the sweeping European Union General Data Protection Regulation (GDPR) will come online in early 2018, adding another layer of complexity to critical asset management.
"There probably isn't a conversation that I have with anybody, anywhere in the world in which GDPR isn't touched on," Durbin says. "It isn't just about compliance. It's about making sure you have the ability across your enterprise and supply chain at any point in time to be able to point to personal data and understand how it's being managed and protected. You have to be able to demonstrate that at any point in time, not just by regulators, but by the individual."
"If we're really going to implement this properly, we're going to have to change the way we're doing business," he adds.
ISF notes the additional resources required to address the obligations of GDPR are likely to increase compliance and data management costs, and to pull attention and investment away from other activities.
Unmet board expectations
Misalignment between the board's expectations and the reality of the information security function's ability to deliver results will pose a threat in 2018, according to the ISF.
"The board, as a rule, does get it. It understands it is operating in cyberspace. What it doesn't understand, in many cases, is the full implications of that," Durbin says. "They think the CISO has it all under control. In many cases the board still doesn't perhaps know the right questions to be asking. And the CISO still doesn't perhaps understand how to talk to the board, or the business for that matter."
The ISF says boards will expect that their approval of increased information security budgets in past years will have enabled the CISO and information security function to produce immediate results. But a fully secure organization is an unattainable goal. And even if they understand that, many boards don't understand that making substantial improvements to information security takes time — even when the organization has the correct skills and capabilities in place.
Sign up for CIO Asia eNewsletters.