Like no other year before it, 2013 illustrated for the entire globe just how essential cyber security is to business endurance, economic durability and personal rights to privacy.
The fractured story of the NSA/Snowden drama seems unceasing and the various revelations that still are coming to the fore only continue to reinforce just how important information security controls are to just about everything we do these days. Whatever your political leanings, Edward Snowden's questionable acquisition and then sharing of confidential documents drives home the need for robust internal security mechanisms to faithfully address the many insider risks that plague all organizations. Then there's the result of the still forthcoming leaks, which illustrate just how vulnerable technologies like encryption are and just how essential personal freedoms and privacy are to most of us.
Too, as topics continue to splinter off from Snowden's initial decision to expose the NSA's secret snooping – which includes, as far as we know so far, the widespread email- and telephone-data gathering of private citizens and geopolitical leaders alike – we continue to contemplate many other ethical, security and privacy questions that plague the very concerning actions and decisions taken in the name of critical infrastructure protection and national security. Any multi-tiered, peopled construct, be it a government agency or a corporation, requires checks and balances. In this instance, even if these existed, they were overrun by individuals who were given too much power or autonomy to make devastating unilateral decisions. After all – and, again, no matter political leanings – one cannot argue the now deep-rooted distrust felt by many an American citizen and plenty of U.S. allies for our government.
Beyond this story, of course, more issues have plagued security and privacy officers. Advanced persistent threats are proving the truthfulness of their moniker, causing plenty of problems for both commercial and government institutions. As well, challenges with BYOD, cloud services and other technologies on which we rely are proving just as chronic. Industry and government compliance mandates, too, are undying and seeming to only push more organizations to embrace security, although, thankfully, it seems that nowadays these no longer are the lone driver. Other problems, too, such as advanced phishing schemes, ransomware and still more schemes to breach networks are driving executive leaders to embrace the fact that security is an integral part of the business as opposed to a mere supporter of it.
Meanwhile, as our political leaders squall like little children over issues that should be solved through intellectual discourse and compromise (yes, I expect way too much), antiquated laws like the Computer Fraud and Abuse Act still linger, causing plenty of legal conundrums and still other questions of ethics and fairness to arise. In addition, well-meaning efforts, like the President's Executive Order – Improving Critical Infrastructure Cybersecurity – seem to have resulted in few real impacts to public/private partnering to make data security and cyber controls a priority.
All of these concerns and the disquiet surrounding them will greet us all with the new year. Indeed, they may become even more acute as more and more IT security incidents bleed into and impact our physical worlds. In saying goodbye to the last 12 months, we must be prepared for what's to come in 2014. Some quiet before the next storm should do us all some good, helping us to be at the ready. Until then, let's all look forward to a prosperous and as-blissful-as-we-can-get New Year.